PHP Specific Ways to Prevent SQL Injection Details of Test Pass

In addition to writing code smoothly, a good PHP programmer needs the ability to keep the program in a secure environment.Today, we want to explain to you how PHP can prevent SQL injection.

When it comes to website security, you have to mention SQL injection (SQL Injection). If you have used ASP, you must have a better understanding of SQL injection 1. PHP is relatively secure because MYSQL4 version does not support clauses, and magic_in php.iniquotes_When gpc is On.

All'(single quote),'(double quote), \(backslash) and empty characters in the submitted variable are automatically converted to escape characters containing backslashes, which can cause a lot of trouble for SQL injection.

See clearly:'Troubleshooting'~This does not mean that PHP prevents SQL injection. There are ways to bypass escape by changing the encoding of the injection statement, such as converting the SQL statement to ASCII encoding (like: char (100,58,92,108,111,99,97,108,104,111,115,116...), or to 16ary encoding, or even other forms of encoding.Since then, escape filtering has been bypassed, so how to prevent it:

a.Open magic_quotes_gpc or use the addslashes() function

In the new version of PHP, even magic_quotes_There will be no conflict if gpc is turned on and the addslashes() function is used, but it is recommended that magic_be detected before using the transfer function for better version compatibility.quotes_gpc status, or turn it off directly, code as follows:

PHP Prevent Code Injected by SQL

//  Remove escape characters    
function stripslashes_array($array) {   
if (is_array($array)) {   
foreach ($array as $k => $v) {   
$array[$k] = stripslashes_array($v);   
}   
} else if (is_string($array)) {   
$array = stripslashes($array);   
}   
return $array;   
}   
@set_magic_quotes_runtime(0);   
//  judge  magic_quotes_gpc  state    
if (@get_magic_quotes_gpc()) {   
$_GET = stripslashes_array($_GET);   
$_POST = stripslashes_array($_POST);   
$_COOKIE = stripslashes_array($_COOKIE);   
} 

Remove magic_quotes_After the escape of gpc, use the addslashes function with the following code:

PHP Code to Prevent SQL Injection

$keywords = addslashes($keywords); 
$keywords = str_replace("_","\_",$keywords);// Escape" _ "  
$keywords = str_replace("%","\%",$keywords);// Escape" % " 

The last two str_replace Replacement Escape is designed to prevent hackers from converting SQL codes to attack.

b.Mandatory Character Format (Type)

In many cases, we use URL like xxx.php? id=xxx. Generally, $id is an integer variable. To prevent an attacker from tampering $id with an attack statement, we try to force the variable as follows:

PHP Prevent Code Injected by SQL

$id=intval($_GET['id']);

Of course, there are other variable types, and if necessary, try to force format 1.

Variables are quoted in the c.SQL statement

This is a simple point, but it is also easy to get into the habit. Let's start with these two SQL statements:

SQL Code

SELECT * FROM article WHERE articleid='$id' 
SELECT * FROM article WHERE articleid=$id

Both writings are common in all programs, but the security is different. Because the variable $id is placed in a pair of single quotes in the first sentence, the variable we submitted becomes a string. Even if it contains the correct SQL statement, it will not execute properly. The second sentence is different, because the variable is not placed in single quotes, then everything we submitted,As long as there are spaces, the variables that follow the spaces will be executed as SQL statements, so we need to develop the habit of quoting variables in SQL statements.

d.URL Pseudo-Static

URL pseudo-static is also known as URL rewrite technology, like Discuz!In the same way, it is a good way to make all URLs rewrite similar to xxx-xxx-x.html format, which is good for both SEO and some security.However, to prevent PHP from SQL injection, you must have a certain "regular" basis.