Detailed explanation of php mysql_real_escape_string anti-sql injection

Home

Backend Development

PHP Tutorial

Detailed explanation of php mysql_real_escape_string anti-sql injection_PHP tutorial

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

Jul 13, 2016 pm 05:10 PM

escape mysql php sql string us yes injection Program development Detailed explanation

Preventing sql injection is a must-do step in our program development. Let me introduce to you some methods of using mysql_real_escape_string to prevent sql injection in PHP and mysql development.

The mysql_real_escape_string() function escapes special characters in strings used in SQL statements. The following characters are affected:

代码如下	复制代码
x00 n r ' " x1a

If successful, the function returns the escaped string. If failed, returns false.

Easy to use the function below to effectively filter.

The code is as follows

Copy code

代码如下	复制代码
function safe($s){ //安全过滤函数 if(get_magic_quotes_gpc()){ $s=stripslashes($s); } $s=mysql_real_escape_string($s); return $s; }

function safe($s){ //safe filter function

if(get_magic_quotes_gpc()){ $s=stripslashes($s); }

$s=mysql_real_escape_string($s);

代码如下	复制代码
if(get_magic_quotes_gpc()) { $_REQUEST = array_map( 'stripslashes', $_REQUEST); } $_REQUEST = array_map( 'mysql_real_escape_string', $_REQUEST);

return $s;

}

Or add it to the conn public connection file, so there is no need to modify the code:

The code is as follows

Copy code

if(get_magic_quotes_gpc()) {

代码如下	复制代码
$id=intval($id); mysql_query=”select from example where articieid=’$id’”;或者这样写：mysql_query(”SELECT FROM article WHERE articleid=”.intval($id).”")

$_REQUEST = array_map( 'stripslashes', $_REQUEST); }

$_REQUEST = array_map( 'mysql_real_escape_string', $_REQUEST);

代码如下	复制代码
$search=addslashes($search); $search=str_replace(“_”,”_”,$search); $search=str_replace(“%”,”%”,$search);

mysql_real_escape_string's anti-sql injection protection is only the most basic protection. If you need more powerful anti-sql injection protection, I can refer to the following method The first is the security settings of the server. Here are mainly the security settings of php+mysql and the security settings of the Linux host. To prevent php+mysql injection, first set magic_quotes_gpc to On and display_errors to Off. If it is an id type, we use intval() to convert it into an integer type, as shown in the code:

The code is as follows	Copy code
$id=intval($id); mysql_query=”select from example where articieid=’$id’”; Or write like this: mysql_query(”SELECT FROM article WHERE articleid=”.intval($id).””)

If it is a character type, use addslashes() to filter it, and then filter "%" and "_", such as:

The code is as follows	Copy code
$search=addslashes($search); $search=str_replace(“_”,”_”,$search); $search=str_replace(“%”,”%”,$search);

Of course you can also add PHP universal anti-injection code:
/***************************
PHP universal anti-injection security code
Description:
Determine whether the passed variable contains illegal characters
Such as $_POST, $_GET
Function:
Anti-injection

$ArrPostAndGet[]=$value; }

The code is as follows

代码如下

复制代码

**************************/
//要过滤的非法字符
$ArrFiltrate=array(”‘”,”;”,”union”);
//出错后要跳转的url,不填则默认前一页
$StrGoUrl=”";
//是否存在数组中的值
function FunStringExist($StrFiltrate,$ArrFiltrate){
foreach ($ArrFiltrate as $key=>$value){
if (eregi($value,$StrFiltrate)){
return true;
}
}
return false;
}
//合并$_POST 和 $_GET
if(function_exists(array_merge)){
$ArrPostAndGet=array_merge($HTTP_POST_VARS,$HTTP_GET_VARS);
}else{
foreach($HTTP_POST_VARS as $key=>$value){
$ArrPostAndGet[]=$value;
}
foreach($HTTP_GET_VARS as $key=>$value){
$ArrPostAndGet[]=$value;
}
}
//验证开始
foreach($ArrPostAndGet as $key=>$value){
if (FunStringExist($value,$ArrFiltrate)){
echo “alert(/”Neeao提示，非法字符/”);”;
if (empty($StrGoUrl)){
echo “history.go(-1);”;
}else{
echo “window.location=/”".$StrGoUrl.”/”;”;
}
exit;
}
}
?>

Copy code

********** ****************/
//Illegal characters to filter
$ArrFiltrate=array(”‘”,”;”,”union”); //The URL to jump to after an error occurs. If not filled in, the previous page will be defaulted

$StrGoUrl=””;
//Whether there is a value in the array
function FunStringExist($StrFiltrate,$ArrFiltrate){
foreach ($ArrFiltrate as $key=>$value){
if (eregi($value,$StrFiltrate)){
return true;
}
}
return false;
}
//Merge $_POST and $_GET
if(function_exists(array_merge)){
$ArrPostAndGet=array_merge($HTTP_POST_VARS,$HTTP_GET_VARS);
}else{
foreach($HTTP_POST_VARS as $key=>$value){
$ArrPostAndGet[]=$value;
}

foreach($HTTP_GET_VARS as $key=>$value){

} //Verification starts

foreach($ArrPostAndGet as $key=>$value){

/***************************

Save as checkpostandget.php

Then add include("checkpostandget.php"); in front of each php file **************************/ In addition, the administrator username and password are md5 encrypted, which can effectively prevent PHP injection. There are also some security precautions that need to be strengthened on the server and mysql. For security settings of linux server: To encrypt the password, use the "/usr/sbin/authconfig" tool to turn on the password shadow function and encrypt the password. To prohibit access to important files, enter the Linux command interface and enter: at the prompt. #chmod 600 /etc/inetd.conf //Change file attributes to 600 #chattr +I /etc/inetd.conf // Ensure that the file owner is root #chattr –I /etc/inetd.conf // Limit changes to this file It is forbidden for any user to change to the root user through the su command Add the following two lines at the beginning of the su configuration file, that is, the /etc/pam.d/ directory: Auth sufficient /lib/security/pam_rootok.so debug Auth required /lib/security/pam_whell.so group=wheel Delete all special accounts #userdel lp etc. Delete user #groupdel lp etc. Delete group Ban unused suid/sgid programs #find / -type f (-perm -04000 - o –perm -02000 ) -execls –lg {} ; http://www.bkjia.com/PHPjc/629620.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/629620.htmlTechArticlePreventing sql injection is a step that must be done when developing our programs. Let me introduce to you how to use PHP with Introduction to some methods of using mysql_real_escape_string to prevent SQL injection in mysql development. m...

Statement of this Website

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Hot AI Tools

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress images for free

Clothoff.io

AI clothes remover

Video Face Swap

Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Article

How to fix KB5055612 fails to install in Windows 10?

4 weeks ago By DDD

Roblox: Grow A Garden - Complete Mutation Guide

3 weeks ago By DDD

Roblox: Bubble Gum Simulator Infinity - How To Get And Use Royal Keys

3 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

Nordhold: Fusion System, Explained

4 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

Mandragora: Whispers Of The Witch Tree - How To Unlock The Grappling Hook

3 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

Hot Tools

Notepad++7.3.1

Easy-to-use and free code editor

SublimeText3 Chinese version

Chinese version, very easy to use

Zend Studio 13.0.1

Powerful PHP integrated development environment

Dreamweaver CS6

Visual web development tools

SublimeText3 Mac version

God-level code editing software (SublimeText3)

Hot Topics

Java Tutorial

1669

CakePHP Tutorial

1428

Laravel Tutorial

1329

PHP Tutorial

1273

C# Tutorial

1256

Related knowledge

What is the significance of the session_start() function? May 03, 2025 am 12:18 AM

session_start()iscrucialinPHPformanagingusersessions.1)Itinitiatesanewsessionifnoneexists,2)resumesanexistingsession,and3)setsasessioncookieforcontinuityacrossrequests,enablingapplicationslikeuserauthenticationandpersonalizedcontent.

Steps to add and delete fields to MySQL tables Apr 29, 2025 pm 04:15 PM

In MySQL, add fields using ALTERTABLEtable_nameADDCOLUMNnew_columnVARCHAR(255)AFTERexisting_column, delete fields using ALTERTABLEtable_nameDROPCOLUMNcolumn_to_drop. When adding fields, you need to specify a location to optimize query performance and data structure; before deleting fields, you need to confirm that the operation is irreversible; modifying table structure using online DDL, backup data, test environment, and low-load time periods is performance optimization and best practice.

How to uninstall MySQL and clean residual files Apr 29, 2025 pm 04:03 PM

To safely and thoroughly uninstall MySQL and clean all residual files, follow the following steps: 1. Stop MySQL service; 2. Uninstall MySQL packages; 3. Clean configuration files and data directories; 4. Verify that the uninstallation is thorough.

An efficient way to batch insert data in MySQL Apr 29, 2025 pm 04:18 PM

Efficient methods for batch inserting data in MySQL include: 1. Using INSERTINTO...VALUES syntax, 2. Using LOADDATAINFILE command, 3. Using transaction processing, 4. Adjust batch size, 5. Disable indexing, 6. Using INSERTIGNORE or INSERT...ONDUPLICATEKEYUPDATE, these methods can significantly improve database operation efficiency.

How to use MySQL functions for data processing and calculation Apr 29, 2025 pm 04:21 PM

MySQL functions can be used for data processing and calculation. 1. Basic usage includes string processing, date calculation and mathematical operations. 2. Advanced usage involves combining multiple functions to implement complex operations. 3. Performance optimization requires avoiding the use of functions in the WHERE clause and using GROUPBY and temporary tables.

Composer: The Package Manager for PHP Developers May 02, 2025 am 12:23 AM

Composer is a dependency management tool for PHP, and manages project dependencies through composer.json file. 1) parse composer.json to obtain dependency information; 2) parse dependencies to form a dependency tree; 3) download and install dependencies from Packagist to the vendor directory; 4) generate composer.lock file to lock the dependency version to ensure team consistency and project maintainability.

Detailed explanation of the installation steps of MySQL on macOS system Apr 29, 2025 pm 03:36 PM

Installing MySQL on macOS can be achieved through the following steps: 1. Install Homebrew, using the command /bin/bash-c"$(curl-fsSLhttps://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)". 2. Update Homebrew and use brewupdate. 3. Install MySQL and use brewinstallmysql. 4. Start MySQL service and use brewservicesstartmysql. After installation, you can use mysql-u

How to analyze the execution plan of MySQL query Apr 29, 2025 pm 04:12 PM

Use the EXPLAIN command to analyze the execution plan of MySQL queries. 1. The EXPLAIN command displays the execution plan of the query to help find performance bottlenecks. 2. The execution plan includes fields such as id, select_type, table, type, possible_keys, key, key_len, ref, rows and Extra. 3. According to the execution plan, you can optimize queries by adding indexes, avoiding full table scans, optimizing JOIN operations, and using overlay indexes.

See all articles