SQL INJECTION problem is on the ASP, but there is still a lot of famous PHP programs at home and abroad. As for the details of SQL INJECTION, there is too much online article, and it will not be introduced here. If the magic_quotes_gpc in the php.ini file in your website is set to OFF, then PHP will not add a backslash (/) before the sensitive character, because the content submitted by the form may contain sensitive characters, such as single quotes (' ), There is a vulnerability of SQL Injection. In this case, we can solve the problem with addslashes (), which will automatically add a backslash before sensitive characters. However, the above method is only applicable to the case of Magic_QUOTES_GPC = OFF. As a developer, you don't know that each user's magic_quotes_gpc is ON or OFF, if all the data is used on addslashes (), isn't it "indiscriminately"? If MAGIC_QUOTES_GPC = ON, and use the addslashes () function, let's take a look:
In this case, in the environments of Magic_QUOTES_GPC = ON, all input single quotes (') become (/') ... actually we can easily solve this problem with the GET_MAGIC_QUOTES_GPC () function. When Magic_QUOTES_GPC = ON, the function returns true; when MAGIC_QUOTES_GPC = Off, false is returned. At this point, many people have realized that the problem has been resolved. Please see the code:
In fact, the problem has been resolved. Let's talk about a small skill. Sometimes the variable submitted by the form is more than one, there may be more than a dozen, dozens of. So, copy / stick Add / Paste, is it troublesome? Since the data obtained from the form or URL is in the form of array, such as $ _post, $ _ get) Customize a function that can "sweep thousands":
