Introduction to php functions to prevent sql injection
A few days ago, people were injected into the website. Now I will introduce to you several built-in processing functions of PHP to prevent SQL injection. For example, PHP's MySQL operation functions include addslashes(), mysql_real_escape_string(), mysql_escape_string() and other functions.
Specific usage: addslashes prevent SQL injection
Although many domestic PHP programmers still rely on addslashes to prevent SQL injection, it is still recommended that everyone strengthen the check to prevent SQL injection in Chinese. The problem with addslashes is that hackers can use 0xbf27 to replace single quotes, while addslashes only changes 0xbf27 to 0xbf5c27, which becomes a valid multi-byte character. 0xbf5c is still regarded as a single quote, so addslashes cannot successfully intercept.
Of course, addslashes is not useless. It is used for processing single-byte strings. For multi-byte characters, use mysql_real_escape_string.
In addition, for the example of get_magic_quotes_gpc in the PHP manual, the code is as follows:
Function post_check($post) {
$post = addslashes($post); // Correct the case where magic_quotes_gpc is not turned on Filtering of submitted data } $post = str_replace("_", "_", $post); // Filter out '_' $post = str_replace("%", "%", $ post); // Filter out ' % ' }//Open source code phpfensi.com ?> //Or function inject_check($sql_str) { . . . '| Function verify_id($id=null) { (inject_check($id) ) { exit('The submitted parameters are illegal! ');} // Injecting judgment Elseif (! IS_NUMERIC ($ ID)) {exit (' The parameters submitted illegal! ');} // Digital judgment $ ID = intval ($ ID); // Tolerance Typed Escape special characters in unescaped_string, taking into account the connection's current character set, so it can be safely used in mysql_query().Note: mysql_real_escape_string() does not escape % and _.mysql_real_escape_string,Example#1 mysql_real_escape_string() example, the code is as follows: $item = "Zak's and Derick's Laptop" ; $escaped_item = mysql_real_escape_string ( $item ); printf ( "Escaped string: %sn" , $escaped_item ); ?& gt; //Above examples The following output will be produced: //Escaped string: Zak's and Derick's Laptop mysql_escape_stringThis function escapes unescaped_string so that it can be safely used in mysql_query().
Note: mysql_escape_string() does not escape % and _. This function is exactly the same as mysql_real_escape_string(), except that mysql_real_escape_string() accepts a connection handle and transfers the string according to the current character set. mysql_escape_string() does not accept connection parameters and does not care about the current character set setting.
Example 1. mysql_escape_string() example, the code is as follows:
$item = "Zak's Laptop";
$escaped_item = mysql_escape_string($item);
printf ("Escaped string: %sn", $escaped_item);
?>
//Output:
//Escaped string: Zak's Laptop
mysql_ real_escape_string and mysql_escape_string these 2 The difference between the two functions:
mysql_real_escape_string must be used under (PHP 4 >= 4.3.0, PHP 5), otherwise mysql_escape_string can only be used. The difference between the two is: mysql_real_escape_string takes into account the current character set of the connection, And mysql_escape_string is not considered.
We can use judgment to process it comprehensively. The code is as follows:
function cleanuserinput($dirty){
if (get_magic_quotes_gpc()) {
$clean = mysql_real_escape_string(stripslashes($dirty)) ;
}else{
$clean = mysql_real_escape_string($dirty);
}
return $clean;
}
To summarize: * addslashes() is a forced addition; () will determine the character set, However, there are requirements for the PHP version; * mysql_escape_string does not consider the current character set of the connection.
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1677
14
1430
52
1333
25
1278
29
1257
24
Explain secure password hashing in PHP (e.g., password_hash, password_verify). Why not use MD5 or SHA1?
Apr 17, 2025 am 12:06 AM
In PHP, password_hash and password_verify functions should be used to implement secure password hashing, and MD5 or SHA1 should not be used. 1) password_hash generates a hash containing salt values to enhance security. 2) Password_verify verify password and ensure security by comparing hash values. 3) MD5 and SHA1 are vulnerable and lack salt values, and are not suitable for modern password security.
How does PHP type hinting work, including scalar types, return types, union types, and nullable types?
Apr 17, 2025 am 12:25 AM
PHP type prompts to improve code quality and readability. 1) Scalar type tips: Since PHP7.0, basic data types are allowed to be specified in function parameters, such as int, float, etc. 2) Return type prompt: Ensure the consistency of the function return value type. 3) Union type prompt: Since PHP8.0, multiple types are allowed to be specified in function parameters or return values. 4) Nullable type prompt: Allows to include null values and handle functions that may return null values.
PHP and Python: Different Paradigms Explained
Apr 18, 2025 am 12:26 AM
PHP is mainly procedural programming, but also supports object-oriented programming (OOP); Python supports a variety of paradigms, including OOP, functional and procedural programming. PHP is suitable for web development, and Python is suitable for a variety of applications such as data analysis and machine learning.
Choosing Between PHP and Python: A Guide
Apr 18, 2025 am 12:24 AM
PHP is suitable for web development and rapid prototyping, and Python is suitable for data science and machine learning. 1.PHP is used for dynamic web development, with simple syntax and suitable for rapid development. 2. Python has concise syntax, is suitable for multiple fields, and has a strong library ecosystem.
PHP and Python: A Deep Dive into Their History
Apr 18, 2025 am 12:25 AM
PHP originated in 1994 and was developed by RasmusLerdorf. It was originally used to track website visitors and gradually evolved into a server-side scripting language and was widely used in web development. Python was developed by Guidovan Rossum in the late 1980s and was first released in 1991. It emphasizes code readability and simplicity, and is suitable for scientific computing, data analysis and other fields.
PHP and Frameworks: Modernizing the Language
Apr 18, 2025 am 12:14 AM
PHP remains important in the modernization process because it supports a large number of websites and applications and adapts to development needs through frameworks. 1.PHP7 improves performance and introduces new features. 2. Modern frameworks such as Laravel, Symfony and CodeIgniter simplify development and improve code quality. 3. Performance optimization and best practices further improve application efficiency.
Why Use PHP? Advantages and Benefits Explained
Apr 16, 2025 am 12:16 AM
The core benefits of PHP include ease of learning, strong web development support, rich libraries and frameworks, high performance and scalability, cross-platform compatibility, and cost-effectiveness. 1) Easy to learn and use, suitable for beginners; 2) Good integration with web servers and supports multiple databases; 3) Have powerful frameworks such as Laravel; 4) High performance can be achieved through optimization; 5) Support multiple operating systems; 6) Open source to reduce development costs.
PHP's Impact: Web Development and Beyond
Apr 18, 2025 am 12:10 AM
PHPhassignificantlyimpactedwebdevelopmentandextendsbeyondit.1)ItpowersmajorplatformslikeWordPressandexcelsindatabaseinteractions.2)PHP'sadaptabilityallowsittoscaleforlargeapplicationsusingframeworkslikeLaravel.3)Beyondweb,PHPisusedincommand-linescrip
