(1) mysql_real_escape_string -- Escape special characters in strings used in SQL statements, taking into account the current character set of the connection
Used as follows:
?
1 2 3 |
$sql= "selectcount(*)asctr from users where username
='".mysql_real_escape_string($username)."'and
password='". mysql_real_escape_string($pw)."'limit 1";
|
Use
mysql_real_escape_string()
as a wrapper around user input to avoid any malicious SQL injection in user input.
(2) Turn on magic_quotes_gpc to prevent SQL injection
There is a setting in php.ini: magic_quotes_gpc = Off
This is turned off by default. If it is turned on, it will automatically convert the SQL query submitted by the user,
For example, converting ' to ', etc., plays a significant role in preventing sql injection.
If magic_quotes_gpc=Off, use the addslashes() function
(3) Custom function
?
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 |
functioninject_check($sql_str) {
returneregi('select|insert|and|or|update|delete|'|/*|*|../|./|union|into|load_file|outfile ',$sql_str);
}
functionverify_id($id=null) {
if(!$id) {
}elseif
(inject_check($id)) {elseif(!
is_numeric($id)) {
}$id=intval(
$id);
return$id;
}functionstr_check($str) {
if
(!get_magic_quotes_gpc()) {$$ Str=Addslashhes(
$ Str);
// Filter}
$str=str_replace
("_","_",$str);
$str=str_replace
("%","%",$str);return
$str;}functionpost_check($post) {if
(!get_magic_quotes_gpc()) {
$post=
str_replace(
"_","_",$post
);$post
=str_replace("%","%",$post
);
$post=nl2br($post);$post= htmlspecialchars($post);
}
|
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
