【Foreword】
This article summarizes the difference between several functions of PHP to prevent SQL injection attacks
【main body】
SQL injection attacks are the most common means by which hackers attack websites. If your site does not use strict user input validation, it is often vulnerable to SQL injection attacks. SQL injection attacks are usually implemented by submitting bad data or query statements to the site database, which is likely to expose, change or delete records in the database.
In order to prevent SQL injection attacks, PHP comes with a function that can process the input string, and can perform preliminary security processing on the input at the lower level, that is, Magic Quotes. (php.ini magic_quotes_gpc). If the magic_quotes_gpc option is enabled, single quotes, double quotes and other characters in the input string will be automatically preceded by a backslash /.
But Magic Quotes is not a very general solution, doesn't block all potentially dangerous characters, and Magic Quotes is not enabled on many servers. Therefore, we also need to use various other methods to prevent SQL injection.
Many databases natively provide this input data processing capability. For example, there are functions such as addslashes(), mysql_real_escape_string(), and mysql_escape_string() in the MySQL operation functions of PHP, which can escape special characters and characters that may cause database operation errors. So what's the difference between these three functions? Let's talk about it in detail below.
Although many PHP programmers in China are still relying on addslashes to prevent SQL injection, it is recommended that you strengthen the inspection of Chinese to prevent SQL injection. The problem with addslashes is that hackers can use 0xbf27 instead of single quotes, but addslashes just modifies 0xbf27 to 0xbf5c27 to become a valid multibyte character, in which 0xbf5c will still be regarded as a single quote, so addslashes cannot be successfully intercepted.
Of course, addslashes is not useless, it is used for the processing of single-byte strings, and mysql_real_escape_string is used for multi-byte characters.
In addition, for the example of get_magic_quotes_gpc in the php manual:
if (!get_magic_quotes_gpc()) {
$lastname = addslashes($_POST[‘lastname’]);
} else {
$lastname = $_POST[‘lastname’];
}
It's best to check $_POST['lastname'] if magic_quotes_gpc is already open.
Let's talk about the difference between the two functions mysql_real_escape_string and mysql_escape_string:
mysql_real_escape_string must be used with (PHP 4 >= 4.3.0, PHP 5). Otherwise, only mysql_escape_string can be used. The difference between the two is: mysql_real_escape_string takes into account the current character set of the connection, while mysql_escape_string does not.
in conclusion:
* addslashes() is forced to add /;
* mysql_real_escape_string() will judge the character set, but it has requirements for the PHP version;
* mysql_escape_string does not take into account the current character set of the connection.
The prevention of sql injection in dz is to use the addlashes function, and at the same time, there are some replacements in the dthmlspecialchars function $string = preg_replace('/&(((#(/d{3,5}|x[a-fA-F0 -9]{4}));)/', '&//1', this replacement solves the problem of injection, and also solves some problems of Chinese garbled characters