First look at the php login without any treatment, first HTML page code
<html> <head><title>用户登录</title></head> <body> <fieldset> <legend><h3>用户登录</h3></legend> <form action="user_login_pro.php" method="post"> 用户账号:<input type="text" name="name"><br><br> 用户密码:<input type="password" name="password"><br><br> <input type="submit" value="登录"> </form> </fieldset> </body> </html>
Followed by php processing code:
//引入PDO连库文件 require './database/db.php'; $name = $_POST['name']; $password = $_POST['password']; $sql = "select * from user where name ='{$name}' and password ='{$password}'"; $res = $pdo->query($sql); $row = $res->fetch(PDO::FETCH_ASSOC); if($row){ echo "login success"; }else{ echo "login error"; }
Results page:
Seen from the above code, we enter the account name and password, the page into the process, and the database for comparison, if the account password is correct under the circumstances, the output of login success, error output login error. Operating results are normal, but if we enter the following code at the [account name 'or 1 = 1 #] will output login success. This is the sql injection, by some code changed our sql statement, we output a sql statement is what look like? select * from user where name = '' or 1 = 1 # 'and password =' '; you can find this sql statement into a permanent establishment of the statement, there are many ways actually like, so how do we prevent sql injection?
1. Pretreatment pdo
// 1. Prepare a prepared statement $ SQL = "the SELECT * from the User password and the WHERE name = =??" ; $ RES = $ PDO -> PREPARE ( $ SQL ); // 2. bound parameters $ name = $ _POST [ 'name' ]; $ password = $ _POST [ 'password' ]; $ RES -> to bindParam (. 1, $ name ); $ RES -> bindParam (2, $ password ); // 3. prepared statements executed RES $ -> Execute (); // 4. results turn into a $ Row = $ RES -> FETCH (the PDO :: FETCH_ASSOC); //5.判断 if($row){ echo "login success"; }else{ echo "login error"; }
we use? The placeholder common operation portion and a variable data portion separated. According to again perform the above steps, then [ 'or 1 = 1 #] to test the output login error. Successfully prevented.
2.addslashes () function escapes
$name = addslashes($_POST['name']); $password = $_POST['password']; $sql = "select * from user where name ='{$name}' and password ='{$password}'"; //print_r($sql);die(); $res = $pdo->query($sql); $row = $res->fetch(PDO::FETCH_ASSOC); if($row){ echo "login success"; }else{ echo "login error"; }
Also with the above sql injection, the result is a failure. Proven to prevent success. addslashes () function to add a backslash before the specified predefined characters. These characters are single quote ( '), double quotation mark ( "), backslash (\) and NUL (NULL character) after using this way, sql statement becomes a:. Select * from user where name =' \ 'or 1 = 1 #' and password = '1234567';
3.intval ()
In many cases we have to use similar xxx.php? This URL id = xxx, generally $ id is an integer variable, in order to prevent an attacker to tamper with the $ id to attack statement, we want to try to force the variables, PHP prevention injection SQL code $ id = intval ($ _ GET [ 'id']);
// the intval () is changed to prevent the integer type $ ID = "abc123" ; echo the intval ( $ ID );
The output is 0; know the intval () may be converted into an integer string, integer type and therefore can be prevented from being changed.