1. Simple SQL injection prevention
The so-called SQL injection attack is that the attacker inserts SQL commands into the input fields of the Web form or the query string requested by the page to trick the server into executing malicious SQL commands.
In some forms, the content entered by the user is directly used to construct (or influence) dynamic SQL commands or as input parameters of stored procedures. Such forms are particularly vulnerable to SQL injection attacks.
A little understanding of magic_quotes_gpc and the difference between addslashes and addcslashes:
1. Conditions: magic_quotes_gpc=off
The string written to the database has not undergone any filtering. The string read from the database has not been processed.
Data: $data=”snow\'\'\'\'sun”; (between snow and sun are four consecutive single quotes).
Operation: Write the string: "snow\'\'\'\'sun" into the database,
Result: A sql statement error occurred, mysql could not complete the sql statement smoothly, and failed to write to the database.
Database storage format: no data.
Output data format: No data.
2. Conditions: magic_quotes_gpc=off
The character string written into the database is processed by the function addslashes(). The string read from the database has not been processed.
Data: $data=”snow\'\'\'\'sun”; (between snow and sun are four consecutive single quotes)
Operation: Write the string: "snow\'\'\'\'sun" into the database
Result: The sql statement is executed successfully, and the data is successfully written to the database
Database saving format: snow\'\'\'\'sun (same as input)
Output data format: snow\'\'\'\'sun (same as input)
Explanation: The addslashes() function converts the single quotation mark to the escape character of \\\' to make the sql statement execute successfully, but the \\\' is not stored in the database as data, and the database saves snow\'\'\'\ 'sun instead of snow\\\'\\\'\\\'\\\'sun as we imagined
Description: For unprocessed single quotation marks, an error will occur in the sql statement when writing to the database
3、条件: magic_quotes_gpc=on
The string written to the database has not undergone any processing. The string read from the database has not been processed.
Data: $data=”snow\'\'\'\'sun”; (between snow and sun are four consecutive single quotes)
Operation: Write the string: "snow\'\'\'\'sun" into the database
Result: The sql statement is executed successfully, and the data is successfully written to the database
Database saving format: snow\'\'\'\'sun (same as input)
Output data format: snow\'\'\'\'sun (same as input)
Explanation: magic_quotes_gpc=on converts the single quotation mark to the escape character of \\\' to make the sql statement execute successfully, but \\\' is not entered into the database as data, and the database saves snow\'\'\'\'sun It is not snow\\\'\\\'\\\'\\\'sun as we imagined.
4、条件: magic_quotes_gpc=on
The character string written into the database is processed by the function addlashes(). The string read from the database has not been processed.
Data: $data=”snow\'\'\'\'sun”; (between snow and sun are four consecutive single quotes)
Operation: Write the string: "snow\'\'\'\'sun" into the database
Result: The sql statement is executed successfully, and the data is successfully written to the database
Database saving format: snow\\\'\\\'\\\'\\\'sun (escaping characters added)
Output data format: snow\\\'\\\'\\\'\\\'sun (escaping characters added)
说明: magic_quotes_gpc=on 将单引号转换为\\\'的转义字符使sql语句成功执行addslashes又将即将写入数据库的单引号转换为\\\',后者的转换被作为数据写入数据库,数据库保存的是snow\\\'\\\'\\\'\\\'sun
总结如下:
1、对于magic_quotes_gpc=on的情况
我们可以不对输入和输出数据库的字符串数据做addslashes()和stripslashes()的操作,数据也会正常显示。如果此时你对输入的数据作了addslashes()处理,那么在输出的时候就必须使用stripslashes()去掉多余的反斜杠。
2、对于magic_quotes_gpc=off 的情况
必须使用addslashes()对输入数据进行处理,但并不需要使用stripslashes()格式化输出因为addslashes()并未将反斜杠一起写入数据库,只是帮助mysql完成了sql语句的执行。
补充:
magic_quotes_gpc 作用范围是:WEB客户服务端;作用时间:请求开始时,例如当脚本运行时。magic_quotes_runtime 作用范围:从文件中读取的数据或执行exec()的结果或是从SQL查询中得到的;作用时间:每次当脚本访问运行状态中产生的数据。
另外:
addslashes()函数的作用是为字符串里面的部分字符添加反斜线转义字符,addslashes()函数只为4个字符添加转义,单引号“’ ”,双引号“””,反斜线“\\”和NULL(“\\0”)。
addcslashes()函数的作用也是对字符串添加转义,但是转义的字符必须由第二个参数指定,第二个参数的使用方法难度太高,跳过不讲。
stripslashes()函数的作用和addslashes()函数正好相反,可以将 addslashes()函数转义的那4个字符取消转义。
同样,stripcslashes()函数的作用和addcslashes()函数相反。
quotemeta()函数的作用是对11个特定字符进行转义,包括:. \\ + * ? [ ^ ] ( $ ) 似乎是可以用在正则里面。
echo addslashes(\"\'\\\"\\ \");
// 显示 \\\'\\\"\\\\
echo addcslashes(\"zoo[\'.\']\", \'zo\');
// 显示 \\z\\o\\o[\'.\']
echo addcslashes(\"z\\\"oo[\'.\']\", \'\\\'\\\"\');
// 显示 z\\\"oo[\\\'.\\\']
echo addcslashes(\'foo[ ]\', \'A..z\');
// 显示 \\f\\o\\o\\[ \\]
echo stripslashes(addslashes(\"\'\\\"\\ \"));
// 显示 \'\"\\
echo stripcslashes(addcslashes(\"z\\\"oo[\'.\']\", \'\\\'\\\"\'));
// 显示 z\"oo[\'.\']
echo quotemeta(\". \\ + * ?\");
// 显示 \\. \\\\ \\+ \\* \\?
补充:
get_magic_quotes_gpc
取得 PHP 环境变量 magic_quotes_gpc 的值。
语法: long get_magic_quotes_gpc(void);
返回值: 返回 0 表示关闭本功能;
返回 1 表示本功能打开。
当 magic_quotes_gpc 打开时,所有的 ' (单引号), " (双引号), \ (反斜线) and 空字符会自动转为含有反斜线的转义字符。
解决方案,检查用户提交的值的类型:
从前面的讨论中我们看到,迄今为止,SQL注入的主要来源往往出在一个意料之外的表单入口上。然而,当你经由一个表单向用户提供机会提交某些值时,你应该有相当的优势来确定你想取得什么样的输入内容-这可以使得我们比较容易地检查用户入口的有效性。
在以前的文章中,我们已经讨论过这样的校验问题;所以,在此,我们仅简单地总结当时我们讨论的要点。
如果你正在期望一个数字,那么你可以使用下面这些技术之一来确保你得到的真正是一个数字类型:
· 使用is_int()函数(或is_integer()或is_long())。
· 使用gettype()函数。
· 使用intval()函数。
· 使用settype()函数。
为了检查用户输入内容的长度,你可以使用strlen()函数。为了检查一个期望的时间或日期是否有效,你可以使用strtotime()函数。它几乎一定能够确保一位用户的入口中没有包含分号字符(除非标点符号可以被合法地包括在内)。你可以借助于strpos()函数容易地实现这一点,如下所示:
if( strpos( $variety, ';' ) ) exit ( "$variety is an invalid value for variety!" );
正如我们在前面所提到的,只要你仔细分析你的用户输入期望,那么,你应该能够很容易地检查出其中存在的许多问题。
从你的查询中滤去每一个可疑字符 。尽管在以前的文章中,我们已经讨论过如何过滤掉危险字符的问题;但是在此,还是让我们再次简单地强调并归纳一下这个问题:
· 不要使用magic_quotes_gpc指令或它的"幕后搭挡"-addslashes()函数,此函数在应用程序开发中是被限制使用的,并且此函数还要求使用额外的步骤-使用stripslashes()函数。
· 相比之下,mysql_real_escape_string()函数更为常用,但是也有它自己的缺点。
mysql_real_escape_string — 转义 SQL 语句中使用的字符串中的特殊字符,并考虑到连接的当前字符集。
区别:
addslashes() 是强行加;
mysql_real_escape_string() 会判断字符集,但是对PHP版本有要求;
mysql_escape_string不考虑连接的当前字符集。
更多信息,请关注千锋php,千锋论坛。