php addslashes and other methods of clearing Spaces are not safe
- 2020-05-10 17:54:13
- OfStack
Clearing Spaces is not safe, in part because there are so many Spaces in the characters. For example, "the problem with addslashes is that hackers can use 0xbf27 instead of single quotes. addslashes simply changes 0xbf27 to 0xbf5c27 to become a valid multi-byte character, where 0xbf5c will still be treated as single quotes, so addslashes cannot successfully intercept."
It is better to verify that it is int or not according to the specific parameter requirements, plus the parameter operation method of the database. In fact, this is the sql problem of the database, which should be solved from the source database itself, but some databases provide corresponding methods.
The SQL injection attack is the most common method used by hackers to attack websites. If your site does not use strict user input validation, it is often vulnerable to an SQL injection attack. SQL injection attacks are usually implemented by submitting bad data or query statements to a site database, potentially exposing, changing, or deleting records in the database.
In order to prevent an SQL injection attack, PHP comes with a feature that allows you to process the input string and perform a security preliminary processing of the input at a lower level, i.e. Magic Quotes. (php ini magic_quotes_gpc). If the magic_quotes_gpc option is enabled, the single quotes, double quotes and other characters in the input string will be automatically backslash \.
But Magic Quotes is not a universal solution, failing to block all potentially dangerous characters, and Magic Quotes is not enabled on many servers. Therefore, we need to use a variety of other methods to prevent SQL injection.
Many databases provide this input data processing capability themselves. For example, PHP's MySQL operation functions include addslashes(), mysql_real_escape_string(), mysql_escape_string(), which can escape special characters and characters that may cause database operation errors. So what's the difference between these three functions? Let's talk about it in more detail.
Although many PHP programmers in China still rely on addslashes to prevent the injection of SQL, it is still recommended to strengthen the inspection of Chinese to prevent the injection of SQL. The problem with addslashes is that hackers can use 0xbf27 instead of single quotation marks, while addslashes only modifies 0xbf27 to 0xbf5c27 to become a valid multi-byte character, in which 0xbf5c will still be regarded as single quotation marks, so addslashes cannot successfully intercept.
Of course, addslashes is not useless, it is used for single-byte string processing, multi-byte characters or mysql_real_escape_string.
In addition, for the example of get_magic_quotes_gpc in php manual:
if (!get_magic_quotes_gpc()) {
$lastname = addslashes ($_POST [' lastname ']);
} else {
$lastname = $_POST [' lastname '];
}
It is best to check $_POST['lastname'] once if magic_quotes_gpc is already open.
Again, the differences between mysql_real_escape_string and mysql_escape_string are as follows:
mysql_real_escape_string must be in (PHP 4) > = 4.3.0, PHP 5). Otherwise, only mysql_escape_string can be used. The difference between the two is: mysql_real_escape_string takes into account the current character set of the connection, while mysql_escape_string does not.
Conclusion 1:
* addslashes() is forced + \;
* mysql_real_escape_string() determines the character set, but requires the PHP version;
* mysql_escape_string does not consider the current character set of the connection.
dz prevents sql injection with addslashes, and with preg_replace('/&(#(\d{3,5}|x[a-fA-F0-9]{4}));) /', '&\ 1', this substitution solves the problem of injection as well as some of the problems of Chinese garbled codes
It is better to verify that it is int or not according to the specific parameter requirements, plus the parameter operation method of the database. In fact, this is the sql problem of the database, which should be solved from the source database itself, but some databases provide corresponding methods.
The SQL injection attack is the most common method used by hackers to attack websites. If your site does not use strict user input validation, it is often vulnerable to an SQL injection attack. SQL injection attacks are usually implemented by submitting bad data or query statements to a site database, potentially exposing, changing, or deleting records in the database.
In order to prevent an SQL injection attack, PHP comes with a feature that allows you to process the input string and perform a security preliminary processing of the input at a lower level, i.e. Magic Quotes. (php ini magic_quotes_gpc). If the magic_quotes_gpc option is enabled, the single quotes, double quotes and other characters in the input string will be automatically backslash \.
But Magic Quotes is not a universal solution, failing to block all potentially dangerous characters, and Magic Quotes is not enabled on many servers. Therefore, we need to use a variety of other methods to prevent SQL injection.
Many databases provide this input data processing capability themselves. For example, PHP's MySQL operation functions include addslashes(), mysql_real_escape_string(), mysql_escape_string(), which can escape special characters and characters that may cause database operation errors. So what's the difference between these three functions? Let's talk about it in more detail.
Although many PHP programmers in China still rely on addslashes to prevent the injection of SQL, it is still recommended to strengthen the inspection of Chinese to prevent the injection of SQL. The problem with addslashes is that hackers can use 0xbf27 instead of single quotation marks, while addslashes only modifies 0xbf27 to 0xbf5c27 to become a valid multi-byte character, in which 0xbf5c will still be regarded as single quotation marks, so addslashes cannot successfully intercept.
Of course, addslashes is not useless, it is used for single-byte string processing, multi-byte characters or mysql_real_escape_string.
In addition, for the example of get_magic_quotes_gpc in php manual:
if (!get_magic_quotes_gpc()) {
$lastname = addslashes ($_POST [' lastname ']);
} else {
$lastname = $_POST [' lastname '];
}
It is best to check $_POST['lastname'] once if magic_quotes_gpc is already open.
Again, the differences between mysql_real_escape_string and mysql_escape_string are as follows:
mysql_real_escape_string must be in (PHP 4) > = 4.3.0, PHP 5). Otherwise, only mysql_escape_string can be used. The difference between the two is: mysql_real_escape_string takes into account the current character set of the connection, while mysql_escape_string does not.
Conclusion 1:
* addslashes() is forced + \;
* mysql_real_escape_string() determines the character set, but requires the PHP version;
* mysql_escape_string does not consider the current character set of the connection.
dz prevents sql injection with addslashes, and with preg_replace('/&(#(\d{3,5}|x[a-fA-F0-9]{4}));) /', '&\ 1', this substitution solves the problem of injection as well as some of the problems of Chinese garbled codes