防止sql注入2点入手
1.前端输入口限制特殊字符输入
2.后端做变量转化,过滤和变量参数话
具体实例:
前端input部分
<input type="text" name="username" class="form-control" placeholder="用户名" maxlength="16" pattern="^[a-zA-Z0-9\u4e00-\u9fa5]{1,16}$" />
<input type="password" name="password" class="form-control" placeholder="密码" maxlength="16" pattern="^[a-z0-9A-Z@]{1,16}$" />
后端php部分一:
$username=$_POST['username'];
$password=$_POST['password'];
$verifycode=$_POST['verifycode'];
$code=$_SESSION['code']; //获取服务器生成的验证码
//输入过滤,转换
$username = htmlspecialchars(addslashes($username));
$password = htmlspecialchars(addslashes($password));
$code = htmlspecialchars(addslashes($code));
//md5加密
$key = '1234&&xxx@';
$password=md5(md5($password.$key));
PHP简单的数据过滤
1)入库: trim($str),addslashes($str)
2)出库: stripslashes($str)
3)显示: htmlspecialchars(nl2br($str))
function inject_check($sql_str) { return eregi('select|insert|and|or|update|delete|\'|\/\*|\*|\.\.\/|\.\/|union|into|load_file|outfile', $sql_str);} function verify_id($id=null) { if(!$id) { exit('没有提交参数!'); } elseif(inject_check($id)) { exit('提交的参数非法!'); } elseif(!is_numeric($id)) { exit('提交的参数非法!'); } $id = intval($id); return $id; } function str_check( $str ) { if(!get_magic_quotes_gpc()) { $str = addslashes($str); // 进行过滤 } $str = str_replace("_", "\_", $str); $str = str_replace("%", "\%", $str); return $str; } function post_check($post) { if(!get_magic_quotes_gpc()) { $post = addslashes($post); } $post = str_replace("_", "\_", $post); $post = str_replace("%", "\%", $post); $post = nl2br($post); $post = htmlspecialchars($post); return $post; }
预防数据库攻击的正确做法(二):
<?php
function check_input($value)
{
// 去除斜杠
if (get_magic_quotes_gpc())
{
$value = stripslashes($value);
}
// 如果不是数字则加引号
if (!is_numeric($value))
{
$value = "'" . mysql_real_escape_string($value) . "'";
}
return $value;
}
$con = mysql_connect("localhost", "hello", "321");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
// 进行安全的 SQL
$user = check_input($_POST['user']);
$pwd = check_input($_POST['pwd']);
$sql = "SELECT * FROM users WHERE
user=$user AND password=$pwd";
mysql_query($sql);
mysql_close($con);
?>
后端php部分二:
$url = "localhost";
$usr = "root";
$paw = "123";
$database = "mdb";
//$link = 0;
$link = mysqli_connect($url,$usr,$paw,$database)
or die("Error " . mysqli_error($link));
//变量参数话
$sql="SELECT * FROM yonghu WHERE username = ? and password= ?";
$stmt = $link->prepare($sql);
$stmt->bind_param('ss', $username,$password);
$stmt->execute();
$result = $stmt->get_result();
// while ($row = $result->fetch_assoc()) {
// // do something with $row
// }