php中如何防范sql注入（How to prevent SQL injection in PHP）.doc

php中如何防范sql注入（How to prevent SQL injection in PHP） How to prevent SQL injection in PHP In PHP coding, if you take into account some of the more basic security issues, first of all: 1. initialize your variables If ($admin) { Echo login successful! ; Include (admin.php); } Else { Echo you are not an administrator and cannot be managed! ; } Well, we see that the above code seems to work properly. No problem, so join me and submit an illegal parameter. How about the effect? For our page is /login.php, then we submit: /login.php? Admin=1, oh, you want to, we are not directly is the administrator, direct management. Of course, we could not have made such a mistake simply wrong, so some hidden errors may also cause this problem, such as the recent storms out of the phpwind 1.3.6 forum is a loophole, which can directly get administrator privileges, because there is a $skin variable is not initialized, lead to a series of problems behind. So how do we avoid the above problems? First of all, starting with php.ini, the register_global = off in php.ini, that is, not all registered variables are global, can be avoided. But we are not server administrators and can only be improved from code, so how can we improve the code above? Lets rewrite as follows: $admin = 0; / / initialize variables if ($_ post _ [admin] $_ use post _ pass [admin]) { / / / / / / / / / / / / / / 判断提交的管理员用户名和密码是不是对的相应的处理代码 / / / / / / / / / / / / / /. admin = $1. } else { admin = $0; } if (admin) { echo 登陆成功.; include (admin.php). } else { echo 你不是管理员, 无法进行管理.; } 那么这时候你再提交 http: / / / login.php? admin = 1 就不好使了, $因为我们在一开始就把变量初始化为 admin = 0 了, 那么你就无法通过这个漏洞获取管理员权限. 2. 防止sql injection (sql注射) sql 注射应该是目前程序危害最大的了, 包括最早从asp到php, 基本上都是国内这两年流行的技术, 基本原理就是通过对提交变量的不过滤形成注入点然后使恶意用户能够提交一些sql查询语句, 导致重要数据被窃取、数据丢失或者损坏, 或者被入侵到后台管理. 那么我们如何去防范呢? 这个就应该我们从代码去入手了. 我们知道web上提交数据有两种方式, 一种是get、一种是post, 那么很多常见的sql注射就是从get方式入手的, 而且注射的语句里面一定是包含一些sql语句的, 因为没有sql语句, 那么如何进行, sql语句有四大句. Select, update, delete, insert, so can we avoid the