PHP MYSQL Injection attacks require seven key precautions

  • 2020-06-07 05:25:10
  • OfStack

1: Digital parameters use methods like intval and floatval to force filtering.

2: String-type parameters use methods like mysql_real_escape_string to force filtering, rather than simple addslashes.

3: It is better to abandon the splicing SQL query mode like mysql_query and use prepare binding mode of PDO as far as possible.

4: rewrite technique is used to hide real script and parameter information. rewrite regularization can also filter suspicious parameters.

5: Turn off the error message and do not provide sensitive information to the attacker: display_errors=off.

6: Log the error messages: log_errors=on and error_log=filename, check them regularly, and the Web log is the best.

7: Do not connect to MySQL with an account with FILE permissions (e.g. root). This blocks dangerous functions such as load_file.

Related articles: