Summary and analysis of PHP anti-sql injection methods_PHP tutorial
WBOY
Release: 2016-07-13 17:10:50
Original
1571 people have browsed it
SQL injection is a problem that everyone often considers in program development. Let me analyze the common SQL injection prevention codes. Friends in need can refer to it.
1. Basic principles of PHP submission data filtering
1) When submitting variables into the database, we must use addslashes() for filtering. For example, our injection problem can be solved with just one addslashes(). In fact, when it comes to variable values, the intval() function is also a good choice for filtering strings.
2) Enable magic_quotes_gpc and magic_quotes_runtime in php.ini. magic_quotes_gpc can change the quotation marks in get, post, and cookie into slashes. magic_quotes_runtime can play a formatting role in data entering and exiting the database. In fact, this parameter has been very popular since the old days when injection was crazy.
The code is as follows
Copy code
代码如下
复制代码
if ( isset($_POST["f_login"] ) )
{
// 连接数据库...
// ...代码略...
// 检查用户是否存在
$t_strUname = $_POST["f_uname"];
$t_strPwd = $_POST["f_pwd"];
$t_strSQL = "SELECT * FROM tbl_users WHERE username='$t_strUname' AND password = '$t_strPwd' LIMIT 0,1";
$t_strSQL = "SELECT * FROM tbl_users WHERE username='$t_strUname' AND password = '$t_strPwd' LIMIT 0,1";
if ( $t_hRes = mysql_query($t_strSQL) )
{
// Processing after successful query. Omitted...
}
}
?>
sample test
3) When using system functions, you must use escapeshellarg() and escapeshellcmd() parameters to filter, so that you can use system functions with confidence.
4) For cross-site, both parameters of strip_tags() and htmlspecialchars() are good. All tags with html and php submitted by users will be converted. For example, angle brackets "<" will be converted into harmless characters such as "<". <🎜>
The code is as follows
Copy code
$new = htmlspecialchars("Test", ENT_QUOTES);
strip_tags($text,);
5) Regarding the filtering of related functions, just like the previous include(), unlink, fopen(), etc., as long as you specify the variables you want to perform the operation or strictly filter the related characters, I think this will be enough. Impeccable.
2. Simple data filtering with PHP
1) Storage: trim($str),addslashes($str)
2) Deposit: stripslashes($str)
3) Display: htmlspecialchars(nl2br($str))
1. Types of injection attacks
There may be many different types of attack motivations, but at first glance, it appears that there are many more. This is very true - if a malicious user finds a way to perform multiple queries. We will discuss this in detail later in this article.
Such as
If your script is executing a SELECT instruction, an attacker can force the display of every row in a table by injecting a condition such as "1=1" into the WHERE clause, as shown below (where, Injected parts are shown in bold):
The code is as follows
Copy code
SELECT * FROM wines WHERE variety = 'lagrein' OR 1=1;'
As we discussed earlier, this can be useful information in itself, as it reveals the general structure of the table (something a plain record wouldn't), as well as potentially showing the data containing confidential information. Record.
An updated directive potentially poses a more immediate threat. By placing other attributes in the SET clause, an attacker can modify any field in the currently updated record, such as the following example (in which the injected part is shown in bold):
The code is as follows
Copy code
代码如下
复制代码
UPDATE wines SET type='red','vintage'='9999' WHERE variety = 'lagrein'
UPDATE wines SET type='red', 'vintage'='9999' WHERE variety = 'lagrein'
By adding a constant true condition such as 1=1 to the WHERE clause of an update instruction, the scope of this modification can be extended to each record, such as the following example (where the injection part is shown in bold ):
代码如下
复制代码
UPDATE wines SET type='red','vintage'='9999 WHERE variety = 'lagrein' OR 1=1;'
The code is as follows
Copy code
UPDATE wines SET type='red', 'vintage'='9999 WHERE variety = 'lagrein' OR 1=1;'
Probably the most dangerous instruction is DELETE - it's not hard to imagine. The injection technique is the same as we've already seen - extending the scope of affected records by modifying the WHERE clause, as in the example below (where the injection part is in bold):
代码如下
复制代码
DELETE FROM wines WHERE variety = 'lagrein' OR 1=1;'
2. Multiple query injection
Multiple query injections will exacerbate the potential damage an attacker can cause - by allowing multiple destructive instructions to be included in a single query. When using the MySQL database, an attacker can easily achieve this by inserting an unexpected terminator into the query - an injected quote (single or double) marks the end of the expected variable; Then terminate the directive with a semicolon. Now, an additional attack command may be added to the end of the now terminated original command. The final destructive query might look like this:
代码如下
复制代码
SELECT * FROM wines WHERE variety = 'lagrein';
GRANT ALL ON *.* TO 'BadGuy@%' IDENTIFIED BY 'gotcha';'
The code is as follows:
The code is as follows
Copy code
SELECT * FROM wines WHERE variety = 'lagrein';
GRANT ALL ON *.* TO 'BadGuy@%' IDENTIFIED BY 'gotcha';'
This injection will create a new user BadGuy and give it network privileges (all privileges on all tables); there is also an "ominous" password added to this simple SELECT statement. If you followed our advice in the previous article and strictly limited the privileges of the process user, then this should not work because the web server daemon no longer has the GRANT privileges that you revoked. But in theory, such an attack could give BadGuy free rein to do whatever he wants with your database.
return $str;
}
To summarize:
* addslashes() is a forced addition;
* mysql_real_escape_string() will determine the character set, but there are requirements for the PHP version;
* mysql_escape_string does not take into account the current character set of the connection.
To prevent sql injection in dz, you use the addslashes function. At the same time, there are some replacements in the dthmlspecialchars function $string = preg_replace(/&((#(d{3,5}|x[a-fA-F0 -9]{4}));)/, &1, This replacement solves the injection problem and also solves some problems with Chinese garbled characters
http://www.bkjia.com/PHPjc/629645.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/629645.htmlTechArticleSQL injection is a problem that everyone often considers in program development. Let me analyze the common ones below. SQL injection prevention code, friends in need can refer to it. 1. PHP submits data...
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn