Sql injection protection
wide byte injection
For wide-byte encodings, one of the best fixes is:
(1) Use mysql_set_charset(GBK) to specify the character set
(2) Use mysql_real_escape_string to escape
The principle is that the difference between mysql_real_escape_string and addslashes is that it will consider the currently set character set, and there will be no problem of splicing e5 and 5c into one wide byte, but how to determine the "current character set"?
Just use mysql_set_charset to specify.
scape_string for escaping
The principle is that the difference between mysql_real_escape_string and addslashes is that it will consider the currently set character set, and there will be no problem of splicing e5 and 5c into one wide byte, but how to determine the "current character set"?
Just use mysql_set_charset to specify.
character injection
mysql_real_escape_string() filters
str_length() to limit the length of characters entered
digital injection
Numeric injection vulnerability protection
is_numeric(), ctype_digit(), intval() regular expression
str_length() to limit the length of input characters
Error injection
Turn off error reporting
using @
command execution
Use
escapeshellarg, escapeshellcmd
functions