MySQL and SQL injection
If you get the data entered by the user through the web page and insert it into a MySQL database, then it may issue SQL injection occurs.
This section will tell you how to prevent SQL injection, and to filter the characters in SQL injection script.
The so-called SQL injection, is inserted into a Web form submitted by the SQL command or enter a domain name or page request query string, and ultimately deceive server to execute malicious SQL commands.
We should never trust user input, we must identify the data entered by the user is unsafe, we all need to filter the data entered by the user process.
In the following examples, the name of the user must enter a combination of letters, numbers and underscores, and the user name length is between 8 and 20 characters:
if (preg_match("/^\w{8,20}$/", $_GET['username'], $matches))
{
$result = mysql_query("SELECT * FROM users
WHERE username=$matches[0]");
}
else
{
echo "username input error";
}
Let's look at the situation when there is no SQL filtering special characters appear:
// set $ name we do not need to insert the SQL statement
$name = "Qadir'; DELETE FROM users;";
mysql_query("SELECT * FROM users WHERE name='{$name}'");
Above the injection statement, we did not have the variable $ name filtering, $ name we do not need to insert the SQL statement will delete all data users table.
mysql_query in PHP () is not allowed to execute multiple SQL statements, but in SQLite and PostgreSQL can execute multiple SQL statements simultaneously, so users of these data we need to be strict verification.
Prevent SQL injection, we need to pay attention to the following points:
1. Never trust user input. To verify the user's input, by a regular expression, or to limit the length; single and double quotation marks "-" for conversion.
2. Never use dynamic assembly sql, you can use parameterized sql directly or using stored procedures for data query access.
3. Never use the database administrator privileges, connecting with limited permissions on the database for each individual application.
v 4. Do not put confidential information stored directly, encryption or hash out passwords and sensitive information.
5. Application exception information should be given as few prompts, it is best to use a custom error messages on the original packaging error message
6.sql injection detection methods in general, supporting software or web platform to detect, commonly used software sql injection detection tools jsky, web platform, there billion thinking of site security detection platform tool. MDCSOFT SCAN and so on. Using MDCSOFT-IPS effective defense SQL injection, XSS attacks.
Prevent SQL injection
In scripting languages such as Perl and PHP you can escape to the data entered by the user in order to prevent SQL injection.
PHP MySQL extension provides mysql_real_escape_string () function to escape special input characters.
if (get_magic_quotes_gpc())
{
$name = stripslashes($name);
}
$name = mysql_real_escape_string($name);
mysql_query("SELECT * FROM users WHERE name='{$name}'");
Like the statement of injection
like the query, if the user enters a value of "_" and "%" then this happens: The user was just trying query "abcd_", query results there "abcd _", "abcde", "abcdf" etc; user to query "30%" (Note: thirty percent) will have problems.
In PHP script we can use addcslashes () function to handle the above, the following examples:
$sub = addcslashes(mysql_real_escape_string("%something_"), "%_");
// $sub == \%something\_
mysql_query("SELECT * FROM messages WHERE subject LIKE '{$sub}%'");
addcslashes () function to add a backslash before the specified character.
Syntax:
addcslashes(string,characters)
Parameter Description
string Required. Specifies the string to check.
Optional characters. Prescribed by addcslashes () affect the character or range of characters.
Specific applications can be viewed: PHP addcslashes () function
This article reprinted from: w3cschool
(Editor: Leilin Peng Source: network intrusion deleted)