Case Analysis of PHP Preventing Injection Attack
- 2021-07-24 10:22:09
- OfStack
In this paper, the methods of preventing injection attack by PHP are analyzed in detail in the form of examples. Share it for your reference. The specific analysis is as follows:
PHP addslashes () Function--Single apostrophe and slash escape
PHP String function
Definition and usage
The addslashes () function adds a backslash before the specified predefined character.
These predefined characters are:
Single quotation mark (')
Double quotation marks (")
Backslash (\)
NULL
Syntax:
addslashes(string)
| 参数 | 描述 |
| string | 必需。规定要检查的字符串。 |
Tips and Notes
Tip: This function can be used to prepare appropriate strings for strings stored in the database and for database query statements.
Note: By default, the PHP instruction magic_quotes_gpc is on, and addslashes () is automatically run on all GET, POST, and COOKIE data. Do not use addslashes () for strings that have already been escaped by magic_quotes_gpc, as this causes double-layer escape. This can be detected using the function get_magic_quotes_gpc ().
Example
In this example, we want to add a backslash to the predefined characters in the string:
<?php
$str = "Who's John Adams?";
echo $str . " This is not safe in a database query.<br />";
echo addslashes($str) . " This is safe in a database query.";
?>Output:
Who's John Adams? This is not safe in a database query.
Who\'s John Adams? This is safe in a database query.
get_magic_quotes_gpc function
function html($str)
{
$str = get_magic_quotes_gpc()?$str:addslashes($str);
return $str;
}
get_magic_quotes_gpc:
Gets the value of the PHP environment variable magic_quotes_gpc.
Syntax: long get_magic_quotes_gpc (void);
Return value: Long integer
Function type: PHP system function
Content description:
This function gets the value of the variable magic_quotes_gpc (GPC, Get/Post/Cookie) set by the PHP environment. Returning 0 indicates that this function is turned off; Returning 1 indicates that this function is turned on. When magic_quotes_gpc is turned on, all '(single quotation mark), "(double quotation mark),\ (backslash) and null characters are automatically converted to overflow characters with backslash.
addslashes--Use backslash to reference strings
Description:
string addslashes ( string str)
Returns a string that is preceded by a backslash for database query statements, etc. These characters are single quotation marks ('), double quotation marks ("), backslashes (\), and NUL (NULL characters).
An example of using addslashes () is when you want to enter data into the database. For example, inserting the name O 'reilly into the database requires escaping it. Most databases use\ as the escape character: O\ 'reilly. This allows you to put data into the database without inserting extra\. When the PHP directive magic_quotes_sybase is set to on, it means that'will be used when 'is inserted for escape.
By default, the PHP instruction magic_quotes_gpc is on, which primarily runs addslashes () automatically on all GET, POST, and COOKIE data. Do not use addslashes () for strings that have already been escaped by magic_quotes_gpc, as this causes double-layer escape. This can be detected using the function get_magic_quotes_gpc ().
Example 1. addslashes () Sample
$str = "Is your name O'reilly?";
// Output: Is your name O\'reilly?
echo addslashes($str);
?>
get_magic_quotes_gpc()This function takes the value of the variable magic_quotes_gpc (GPC, Get/Post/Cookie) for the PHP environment configuration. Returning 0 indicates that this function is turned off; Returning 1 indicates that this function is turned on. When magic_quotes_gpc is turned on, all '(single quotation mark), "(double quotation mark),\ (backslash) and null characters are automatically converted to overflow characters with backslash.
magic_quotes_gpc
For magic_quotes_gpc in php. ini, is it set to off or on?
Personal opinion, it should be set to on
Summarized as follows:
1. In the case of magic_quotes_gpc=on,
We can not make string data in the input and output database
addslashes () and stripslashes (), the data will be displayed normally.
If you do addslashes () on the input data at this time,
Then you must use stripslashes () to remove the redundant backslash at the time of output.
2. For the case of magic_quotes_gpc=off
You must use addslashes () to process the input data, but you do not need to use stripslashes () to format the output
Because addslashes () does not write the backslash 1 to the database, it only helps mysql complete the execution of the sql statement.
Additional:
The scope of magic_quotes_gpc is: WEB customer server; Action time: When the request starts, such as when the script runs.
magic_quotes_runtime Scope: Data read from a file or the result of executing exec () or from an SQL query; Action time: Every time the script accesses the data generated in the running state,
Code:
<?php
/*
Sometimes a form submits more than one variable 1 There may be 10 A few, a few 10 A. Then 1 Times 1 Secondary replication / Sticking addslashes() Is there any trouble 1 Point? Because from the form or URL The data obtained is in the form of an array, such as $_POST , $_GET) Then customize 1 A function that can "sweep thousands of troops"
*/
function quotes($content)
{
// If magic_quotes_gpc=Off , then start processing
if (!get_magic_quotes_gpc()) {
// Judge $content Whether it is an array or not
if (is_array($content)) {
// If $content Is an array, then process its every 1 Single and none
foreach ($content as $key=>$value) {
$content[$key] = addslashes($value);
}
} else {
// If $content Is not an array, then only the 1 Times
addslashes($content);
}
} else {
// If magic_quotes_gpc=On , then don't deal with it
}
// Return $content
return $content;
}
?>I hope this article is helpful to everyone's PHP programming.