Depending on the different configurations of the server, some special characters such as '," may be escaped when obtaining data through post and get. This problem is mainly caused by PHP magic quotes. PHP magic quotes include magic_quotes_gpc, magic_quotes_runtime, magic_quotes_sybase.
.magic_quotes_gpc is summarized as follows:
1. For the case of magic_quotes_gpc=on,我们可以不对输入和输出数据库的字符串数据作 addslashes()和stripslashes()的操作,数据也会正常显示。 如果此时你对输入的数据作了addslashes()处理, 那么在输出的时候就必须使用stripslashes()去掉多余的反斜杠。
必须使用addslashes()对输入数据进行处理,但并不需要使用stripslashes()格式化输出 因为addslashes()并未将反斜杠一起写入数据库,只是帮助mysql完成了sql语句的执行。
Everyone knows the php configuration file php.in. If the magic_quotes_gpc configuration inside is turned on, it means magic_quotes_gpc = on. Everyone who knows a little bit about php knows it.
Then we have to inject numerical fields.
<span> 1</span> <? <span> 2</span> <span>if</span> ( <span>isset</span>(<span>$_POST</span>["f_login"<span>] ) ){ </span><span> 3</span> <span>//</span><span>连接数据库</span> <span> 4</span> <span>$t_strUid</span> = <span>$_POST</span>["f_uid"<span>]; </span><span> 5</span> <span>$t_strPwd</span> = <span>$_POST</span>["f_pwd"<span>]; </span><span> 6</span> <span>$t_strSQL</span> = "SELECT * FROM tbl_users WHERE uid=<span>$t_strUid</span> AND password = '<span>$t_strPwd</span>' LIMIT 0,1"<span>; </span><span> 7</span> <span>if</span> ( <span>$t_hRes</span> = <span>mysql_query</span>(<span>$t_strSQL</span><span>) ){ </span><span> 8</span> <span>//</span><span> 成功查询</span> <span> 9</span> <span> } </span><span>10</span> <span> } </span><span>11</span> ?>
<span> 1</span> <span><</span><span>html</span><span>></span> <span> 2</span> <span><</span><span>head</span><span>></span> <span> 3</span> <span><</span><span>title</span><span>></span>sample test<span></</span><span>title</span><span>></span> <span> 4</span> <span></</span><span>head</span><span>></span> <span> 5</span> <span><</span><span>body</span><span>></span> <span> 6</span> <span><</span><span>form </span><span>method</span><span>=post </span><span>action</span><span>=""</span><span>></span> <span> 7</span> User ID: <span><</span><span>input </span><span>type</span><span>="text"</span><span> name</span><span>="username"</span><span> size</span><span>=30</span><span>><</span><span>br</span><span>></span> <span> 8</span> Password: <span><</span><span>input </span><span>type</span><span>=text </span><span>name</span><span>="userpwd"</span><span> size</span><span>=30</span><span>><</span><span>br</span><span>></span> <span> 9</span> <span><</span><span>input </span><span>type</span><span>="submit"</span><span> name</span><span>="user_login"</span><span> value</span><span>="登录"</span><span>></span> <span>10</span> <span></</span><span>form</span><span>></span> <span>11</span> <span></</span><span>body</span><span>></span>
If entered correctly:
SELECT * FROM tbltable_users WHERE userid=admin AND password = 'admin' LIMIT 0,1
If the attacker enters at username: admin OR 1 =1 #, the injected sql statement is as follows:
SELECT * FROM table_users WHERE userid=admin OR 1 =1 # AND password = 'admin' LIMIT 0,1
The injection can be done below.
Set the display_errors option in php.ini to display_errors = off to prevent this.
magic_quotes_runtime
If turned on, most functions that obtain and return data from external sources, including databases and text files, will return backslash-escaped data. This option can be changed at runtime, and the default value in PHP is off.
magic_quotes_sybase
如果打开的话,将会使用单引号对单引号进行转义而非反斜线。此选项会完全覆盖 magic_quotes_gpc。如果同时打开两个选项的话,单引号将会被转义成 ”。而双引号、反斜线 和 NULL 字符将不会进行转义。
由于不同服务器的配置不同,需要在代码中用get_magic_quotes_gpc() 检测服务器配置。
<span>1</span> <span>if</span>(<span>isset</span>(<span>$_POST</span>['c'<span>])){ </span><span>2</span> <span>$s</span> = <span>$_POST</span>['c'<span>]; </span><span>3</span> <span>if</span>(<span>get_magic_quotes_gpc</span><span>()) </span><span>4</span> <span>$s</span> = <span>stripslashes</span>(<span>$s</span>);<span>//</span><span>stripslashes() 函数删除由 addslashes() 函数添加的反斜杠。 </span><span>5</span> <span>//do something</span> <span>6</span> }