Tutorials to .com

Tutorials to .com » Php » Others » PHP function used to solve SQL injection

PHP function used to solve SQL injection

Print View , by: iSee ,Total views: 15 ,Word Count: 710 ,Date: Sun, 19 Apr 2009 Time: 9:34 PM

SQL injection in asp on the question of hubbub  But of course, much a lot of well-known php process "dead." As the details of SQL injection, on-line article too much, can not be introduced here.
If you website space magic_quotes_gpc in the php.ini file located has become the off, then PHP will not add in the sensitive character backslash (\), because the contents of form submission may contain sensitive characters, such as the single quotation marks ( '), which has led to the SQL injection vulnerability. In this case, we can use addslashes () to solve the problem, it will automatically add a backslash before the sensitive character.
However, the above method is only applicable to the case of magic_quotes_gpc = Off. As a developer, you do not know each user magic_quotes_gpc is On or Off, if all the data using addslashes (), it is not "the killing of the innocent" of? If magic_quotes_gpc = On, and also used the addslashes () function, let us take a look at: <? Php
/ / If form submitted to a variable from $ _POST [ 'message'], says Tom's book
/ / This is to connect the mysql database by adding code to write your own
/ / In the $ _POST [ 'message'] sensitive characters with a backslash before
$ _POST [ 'Message'] = addslashes ($ _POST [ 'message']);

/ / Because of magic_quotes_gpc = On, so once again in the sensitive backslash characters before the
$ sql = "INSERT INTO msg_table VALUE ( '$ _POST [message ]');";

/ / Send the request to the content saved to the database
$ query = mysql_query ($ sql);

/ / If you extract from the database and output this record, you will see Tom \ 's book

In that case, magic_quotes_gpc = On in the environment, all entered in single quotes ( ') will become (\') ... ...
In fact, we can use get_magic_quotes_gpc () function to solve this problem easily. When magic_quotes_gpc = On, the function returns TRUE; when magic_quotes_gpc = Off when to return FALSE. At this point, certainly a lot of people have been aware of: the issue has been resolved. See the code: <? Php
/ / If magic_quotes_gpc = Off, then the bill of lading submitted for $ _POST [ 'message'] in the sensitive Canadian backslash character
/ / magic_quotes_gpc = On the circumstances, does not increase
if (! get_magic_quotes_gpc ()) (
$ _POST [ 'Message'] = addslashes ($ _POST [ 'message']);
) Else ()
Here in fact, the problem has been resolved. Besides a small following skills.
Sometimes form submitted more than one variable, there may be more than a dozen, several dozen. Well, once again copied /addslashes (), is a bit of trouble? URL from the form or data access are in the form of an array, such as $ _POST, $ _GET)  since it can define a "Total Annihilation" function: <? Php
function quotes ($ content)
/ / If magic_quotes_gpc = Off, then begin to deal with
if (! get_magic_quotes_gpc ()) (
/ / Determine whether the $ content array
if (is_array ($ content)) (
/ / If $ content is an array, then deal with it every single non -
foreach ($ content as $ key => $ value) (
$ content [$ key] = addslashes ($ value);
) Else (
/ / If $ content is not an array, then only deal with a
addslashes ($ content);
) Else (
/ / If magic_quotes_gpc = On, then do not deal with
/ / Return $ content
return $ content;

php other Articles

Can't Find What You're Looking For?

Rating: Not yet rated


No comments posted.