如何防止SQL INJECTION中的站点

Question

I am in idea to start a site from scratch using PHP & MYSQL using MVC Architecture. But according to client requirement the site must be prevent from SQL INJECTION and CODE INJECTION.

What are the necessary steps i need to do.

OR

Which is the best framework to start the site which prevents from SQL INJECTION and CODE INJECTION.

I didn't ask this to create a discussion with keeping in mind. I just want to know which one is better so that i can start with professionals guidance.

thanks i advance...

Answer 1

By far the most reliable way to prevent SQL injection is to use mysqli parameterized queries exclusively instead of building SQL statements manually.

It's much better than mysql_real_escape_string() because the risk of accidentally forgetting to use it is lower.

To prevent server-side code injection, don't ever under any circumstances use eval()

To prevent Javascript injection, treat all user-generated content with strip_tags() before displaying it or storing it in the DB.

Answer 2

使用mysql_real_escape_string()立即转义来自$_GET[] ， $_POST[]等的所有输入。

Answer 3

These two functions will help you:

function escape($escape)
{
    $escape = mysql_real_escape_string($escape) ;
    return $escape ;
}

function _INPUT($name)
{
    if ($_SERVER['REQUEST_METHOD'] == 'GET') {
        return strip_tags($_GET[$name]);
        }
    if ($_SERVER['REQUEST_METHOD'] == 'POST') {
        return strip_tags($_POST[$name]);
        }
}

Send everything with escape() function to db and grab all forms with _INPUT(). You can use _INPUT function for every $_POST or $_GET except on boolean functions like empty($_POST['name']) or isset($_POST['name']) etc.

Answer 4

Use mysql_real_escape_string when passing string parameters to build SQL statements. That includes an numeric, etc., parameters that you handle as strings.

Answer 5

您应该查看本教程： http ： //www.learnphponline.com/security/sql-injection-prevention-mysql-php

Answer 6

使用mysql_real_escape_string

Answer 7

The best way to do this is to use prepared statements, bar none. This will keep you from having to hand code and balance everything on your own. PHP's mysqli has this built into it and is a good first step into this world. Look at the PHP manual page on this.

Answer 8

After all the good tips given here on escaping your user data before putting it in database, you must as weel think at the second side of the problem.

Escape the ouptuts

That means every output of your application should be escaped based on the rule of this output format. For example, when you echo something for an HTML page you must escape it via htmlentites, so that any HTMl contined in your data will not be html in the output. And for a csv output you should escape quotes or commas, for JSON you should escape things as well, etc every output has his rules.

This thing is sometime used to store data which is potentially dangerous (js code, Html code) in the DB, by only preventing SQL injection before insertion. And then ensuring it is properly escaped before any output.

Another way of thinking is to prevent any js or HTML code before the database storage, but you should still escape the output (in case of).

Talking about frameworks you should get a look at Zend Framework on the Zend_Filter, Zend_Validate, and the escape functions on views.