Home >Backend Development >PHP Problem >PHP anti-sql injection method

PHP anti-sql injection method

藏色散人
藏色散人Original
2020-11-02 09:10:5812012browse

php methods to prevent SQL injection: 1. Use the mysql_real_escape_string method to escape special characters in the string used in SQL statements; 2. Turn on magic_quotes_gpc to prevent SQL injection; 3. Prevent SQL injection through custom functions .

PHP anti-sql injection method

Recommended: "PHP Video Tutorial"

PHP Mysql method to prevent SQL injection

This article introduces the method of preventing SQL injection in PHP Mysql:

Method 1:

mysql_real_escape_string -- Escape the string used in the SQL statement special characters, taking into account the current character set of the connection!

$sql = "select count(*) as ctr from users where username
='".mysql_real_escape_string($username)."' and
password='". mysql_real_escape_string($pw)."' limit 1";

Method 2:

Open magic_quotes_gpc to prevent SQL injection. There is a setting in php.ini: magic_quotes_gpc = Off. This is turned off by default. If it is turned on, it will automatically convert user-submitted SQL queries, such as converting ' to \', etc., which plays a major role in preventing SQL injection.

If magic_quotes_gpc=Off, use the addslashes() function.

Method 3:

Custom function

/**
* 防止sql注入自定义方法一
* author: xiaochuan
* @param: mixed $value 参数值
*/ 
function check_param($value=null) { 
        #  select|insert|update|delete|\'|\/\*|\*|\.\.\/|\.\/|union|into|load_file|outfile
    $str = 'select|insert|and|or|update|delete|\'|\/\*|\*|\.\.\/|\.\/|union|into|load_file|outfile';
  
    if(!$value) {
  
        exit('没有参数!'); 
  
    }elseif(eregi($str, $value)) { 
  
        exit('参数非法!');
  
    }
  
    return true; 
} 
   
  
  
  
  
  
  
/**
* 防止sql注入自定义方法二
* author: xiaochuan
* @param: mixed $value 参数值
*/
function str_check( $value ) { 
  
    if(!get_magic_quotes_gpc()) { 
  
        // 进行过滤 
        $value = addslashes($value); 
  
    } 
  
    $value = str_replace("_", "\_", $value); 
  
    $value = str_replace("%", "\%", $value); 
       
   return $value; 
} 
   
  
  
  
  
  
/**
* 防止sql注入自定义方法三
* author: xiaochuan
* @param: mixed $value 参数值
*/
function post_check($value) { 
  
    if(!get_magic_quotes_gpc()) {
  
        // 进行过滤  
        $value = addslashes($value);
  
    } 
  
    $value = str_replace("_", "\_", $value); 
  
    $value = str_replace("%", "\%", $value); 
  
    $value = nl2br($value); 
  
    $value = htmlspecialchars($value); 
  
    return $value; 
}

The above is the details of how to prevent SQL injection in PHP Mysql

The above is the detailed content of PHP anti-sql injection method. For more information, please follow other related articles on the PHP Chinese website!

Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn