(1) mysql_real_escape_string -- Escape special characters in strings used in SQL statements, taking into account the current character set of the connection
Used as follows:
?
1 2 3 |
$sql = "select count (*) as ctr from users where username
= '".mysql_real_escape_string($username)."' and
password= '". mysql_real_escape_string($pw)."' limit 1";
|
Use
mysql_real_escape_string()
as a wrapper around user input to avoid any malicious SQL injection in user input.
(2) Turn on magic_quotes_gpc to prevent SQL injection
There is a setting in php.ini: magic_quotes_gpc = Off
This is turned off by default. If it is turned on, it will automatically convert the SQL query submitted by the user,
For example, converting ' to ', etc., plays a significant role in preventing sql injection.
If magic_quotes_gpc=Off, use the addslashes() function
(3) Custom function
?
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 |
function inject_check( $sql_str ) {
return eregi ( 'select|insert|and|or|update|delete|'|/*|*|../|./|union|into|load_file|outfile ' , $sql_str );
}
function verify_id( $id =null) {
if (! $id ) {
} elseif (inject_check($id )) {
elseif (! is_numeric( $id )) {
}
$id = intval ( $id);
return$id ;
}
function str_check( $str ) {
if (!get_magic_quotes_gpc()) {$$ Str = Addslashhes ( $ Str); // Filter
}
$str = str_replace ("_" , "_" , $str );
$str= str_replace ("%" , "%" , $str );
return $str;
}
function post_check( $post ) {
if (!get_magic_quotes_gpc()) {
$post = str_replace( "_", "_" , $post );
$post =str_replace ( "%" , "%" , $post );
$post= nl2br ( $post );
$post = htmlspecialchars( $post );
}
The above has introduced the most complete method to prevent SQL injection, including all aspects. I hope it will be helpful to friends who are interested in PHP tutorials.
|