PHP MYSQL Injection attacks require seven key precautions
- 2020-06-07 05:25:10
- OfStack
1: Digital parameters use methods like intval and floatval to force filtering.
2: String-type parameters use methods like mysql_real_escape_string to force filtering, rather than simple addslashes.
3: It is better to abandon the splicing SQL query mode like mysql_query and use prepare binding mode of PDO as far as possible.
4: rewrite technique is used to hide real script and parameter information. rewrite regularization can also filter suspicious parameters.
5: Turn off the error message and do not provide sensitive information to the attacker: display_errors=off.
6: Log the error messages: log_errors=on and error_log=filename, check them regularly, and the Web log is the best.
7: Do not connect to MySQL with an account with FILE permissions (e.g. root). This blocks dangerous functions such as load_file.