Code level
1. The input filter and escape the strict
2. preprocessing and the parameterized
The network level
1. injection strategies (or similar protection system) WAF-enabled devices by anti-SQL
2. Cloud Protection (360 sites guards, Ali cloud shield, etc.)
Recommended Practice: prepare a pretreatment using PDO (pretreatment + parameterization)
PDO: PHP DATA OBJECT is a unified interface to access various database
front-end parameters passed over, when you go to perform database operations, the PDO inside it to write sql, it does not go directly to the parameter passed , but with the parameterized placeholder way to write the parameter
$ = new new PDO the PDO ( 'MySQL: Host = localhost; dbname = Ant', 'the root', 'the root');
$ = SQL "SELECT * from ? admin where username = and password = ";?
he talk to database interaction, he will be replaced by a placeholder for the parameter content by pretreatment of this paragraph such a sql statement, the database driver to talk to the delivery, pre processing, first sql execution of this logic with compiled
PDO-> PREPARE ($ SQL); // do not pass the first parameter, the first pre-processing
and then pass in this time parameter then
username, password $));
// set the index so as to pass into the parameters, instead of stitching, successfully preventing injection
Topo: deploying WAF device before the web application server
start Cloud Protection
attackers dns resolve to the IP cloud vendors, when the flow through the clouds forwarded to the real server up, the cloud protection cluster, cloud WAF, DDOS cleaning, SDN accelerate function
