Summary of methods to prevent SQL injection in PHP + MySQL

Time:2020-1-6

The example of this article describes how to prevent SQL injection by PHP + mysql. To share with you for your reference, as follows:

SQL injection

Example: script logic


$sql = "SELECT * FROM user WHERE userid = $_GET[userid] ";

Case 1:

Copy codeThe code is as follows:
SELECT * FROM t WHERE a LIKE ‘%xxx%’ OR (IF(NOW=SYSDATE(), SLEEP(5), 1)) OR b LIKE ‘1=1 ‘;

Case 2:

Copy codeThe code is as follows:
SELECT * FROM t WHERE a > 0 AND b IN(497 AND (SELECT * FROM (SELECT(SLEEP(20)))a) );

Case 3:

Copy codeThe code is as follows:
SELECT * FROM t WHERE a=1 and b in (1234 ,(SELECT (CASE WHEN (5=5) THEN SLEEP(5) ELSE 5*(SELECT 5 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END)) );

Monitor the following methods

Sleep() – the general SQL blind annotation will be accompanied by the sleep() function, and generally sleep is at least 5 seconds
MID()
CHAR()
ORD()
SYSDATE()
SUBSTRING()
DATABASES()
SCHEMA()
USER()
VERSION()
CURRENT_USER()
LOAD_FILE()
OUTFILE/DUMPFILE
INFORMATION_SCHEMA
TABLE_NAME
Fwrite () /fopen () /file get contents () – these are PHP file manipulation functions

Response:

1.mysql_escape_string()Escape special characters ((PHP 4 > = 4.3.0, PHP 5)) (mysql_real_escape_string must be linked to the database first, otherwise an error will be reported)

The following characters are affected:

\X00 / / null corresponding to ASCII character
\N / / newline and back to the top of the next line
\R / / line break
\/ / escape character


\X1a / / hexadecimal number

If successful, the function returns the escaped string. If it fails, it returns false.

2.addslashes(): function returns a string that adds a backslash before a predefined character(stripslashes()Implement string restore)

Predefined characters are:

Single quotation mark (‘)
Double quotes (“)
Backslash (\)
    NULL

3. Prepared statements


<?php
$mysqli = new mysqli("example.com", "user", "password", "database");
if ($mysqli->connect_errno) {
 echo "Failed to connect to MySQL: (" . $mysqli->connect_errno . ") " . $mysqli->connect_error;
}
/* Non-prepared statement */
if (!$mysqli->query("DROP TABLE IF EXISTS test") || !$mysqli->query("CREATE TABLE test(id INT)")) {
 echo "Table creation failed: (" . $mysqli->errno . ") " . $mysqli->error;
}
/* Prepared statement, stage 1: prepare */
if (!($stmt = $mysqli->prepare("INSERT INTO test(id) VALUES (?)"))) {
 echo "Prepare failed: (" . $mysqli->errno . ") " . $mysqli->error;
}
/* Prepared statement, stage 2: bind and execute */
$id = 1;
if (!$stmt->bind_param("i", $id)) {
 echo "Binding parameters failed: (" . $stmt->errno . ") " . $stmt->error;
}
if (!$stmt->execute()) {
 echo "Execute failed: (" . $stmt->errno . ") " . $stmt->error;
}
?>

For more information about PHP, you can see the following topics: PHP programming security tutorial, PHP security filtering skills summary, PHP operation and operator usage summary, PHP basic syntax tutorial, PHP object-oriented programming tutorial, PHP string usage summary, PHP + MySQL database operation tutorial 》And PHP common database operation skills summary

I hope that this article will be helpful for PHP programming.

Tags: , , ,

Recommended Today

Use of Android WebView (super detailed usage)

1.1 overview of WebView Android WebView is a special view on the Android platform. It can be used to display web pages. This WebView class can be used to display only one online web page in the app. Of course, it can also be used to develop browsers. The internal implementation of WebView uses WebKit […]