Detailed explanation of SQL injection vulnerabilities and prevention

The principle of SQL injection: append a piece of SQL code to the original SQL statement, construct a special SQL statement, and use the program's own permissions to implement the required operations.

Suppose there is a user table now:

uidusernamepwd

1adminadmin222

2custome123456

Now perform a login operation:

1. ";  
       print_r($row);  
   ?>

The above code performs a simple login operation. Execute this program in the browser: localhost/test/login.php?user=admin&pwd=admin222, executed The SQL statement is equivalent to: select * from user where username= 'admin' and pwd = 'admin222', and the execution result will be obtained.

If you request: localhost/test/login.php?user=admin&pwd=admin, there will be no query results because the password does not match the user name. That is, the SQL statement: select * from user where username= 'admin' and pwd = 'admin' cannot find the result. Then, if it is a SQL statement: select * from user where username= 'admin' and pwd = 'admin' or 1 = 1;? You can try it yourself, you can get this as follows:

uidusernamepwd

1adminadmin222

2custome123456

If accessed on the client: localhost/test/login What about .php?user=admin&pwd=admin%20or%201=1?

Directly bypassed the verification and obtained the admin user information in the database. This is a simple SQL injection.

SQL injection prevention:

(1) If it is an integer variable, use the intval() function or (int) to convert all incoming parameters into a numerical value.

(2) For character variables, use addslashes() to convert all ' (single quotes), " (double quotes), \ (backslashes) and (spaces) into characters containing backslashes .

(3) Escape or filter some special characters, such as %, etc.

Related recommendations:

The above is the detailed content of Detailed explanation of SQL injection vulnerabilities and prevention. For more information, please follow other related articles on the PHP Chinese website!