This article mainly introduces examples of SQL injection vulnerabilities in PHP. Everyone must pay attention during development
When developing a website, for security reasons, it is necessary to filter the characters passed from the page. Usually, users can call the content of the database through the following interfaces: URL address bar, login interface, message board, search box, etc. This often leaves opportunities for hackers to take advantage of. At worst, the data may be leaked, and at worst, the server may be taken down.
1. Steps of SQL injection
a) Find injection points (such as login interface, message board, etc.)
b) Users construct SQL statements by themselves (such as: ' or 1=1#, which will be explained later)
c) Send the sql statement to the database management system (DBMS)
d) DBMS receives the request, interprets the request into machine code instructions, and performs the necessary access operations
e) DBMS accepts the returned results, processes them, and returns them to the user
Because the user constructs a special SQL statement, special results must be returned (as long as your SQL statement is flexible enough).
Below, I will demonstrate SQL injection through an example.
2. Detailed explanation of SQL injection examples (the above tests assume that magic_quote_gpc is not enabled on the server)
1) Preparatory work
First, let’s demonstrate how to log into the backend administrator interface through SQL injection vulnerability.
First, create a data table for testing:
The code is as follows:
CREATETABLE `users` (
`id`int(11) NOT NULL AUTO_INCREMENT,
`username`varchar(64) NOT NULL,
`password`varchar(64) NOT NULL,
`email`varchar(64) NOT NULL,
PRIMARYKEY (`id`),
UNIQUEKEY `username` (`username`)
)ENGINE=MyISAM AUTO_INCREMENT=3 DEFAULT CHARSET=latin1;
Add a record for testing:
The code is as follows:
INSERTINTO users (username,password,email)
VALUES('MarcoFly',md5('test'),'marcofly@test.com');
Next, paste the source code of the login interface:
The code is as follows:
Sql injection demonstration
When the user clicks the submit button, the form data will be submitted to the validate.php page. The validate.php page is used to determine whether the user name and password entered by the user meet the requirements (this step is crucial and is often a SQL vulnerability. location)
The code is as follows:
The code is as follows:
Login Verification
Have you noticed that we directly execute the data (username and password) submitted by the user without filtering special characters? You will understand later that this is fatal.
Code analysis: If the username and password match successfully, it will jump to the administrator operation interface (manager.php). If it fails, a friendly prompt message will be given.
At this point, the preliminary work has been done, and next we will start our highlight: SQL injection
2) Construct SQL statement
After filling in the correct username (marcofly) and password (test), click Submit, and we will be returned to the "Welcome Administrator" interface.
Because the username and password we submitted are synthesized into the SQL query statement and look like this:
Copy the code The code is as follows:
select * from users where username='marcofly' andpassword=md5('test')
Obviously, the username and password are the same as those we gave before, and you will definitely be able to log in successfully. But what if we enter a wrong username or password? Obviously, we will definitely not be able to log in. Well, this is the case under normal circumstances, but for websites with SQL injection vulnerabilities, as long as a special "string" is constructed, you can still log in successfully.
For example: enter: ' or 1=1# in the user name input box, and enter the password as you like. The synthesized SQL query statement at this time is:
The code is as follows:
select * from users where username='' or 1=1#' and password=md5('')
Semantic analysis: "#" is a comment character in MySQL, so the content after the pound sign will be regarded as comment content by MySQL and will not be executed. In other words, the following two SQL statements are equivalent:
The code is as follows:
select * from users where username='' or 1=1#' and password=md5('')
Equivalent to
The code is as follows:
select *from users where username='' or 1=1
Because 1=1 is always true, that is, the where clause is always true. After further simplifying the SQL, it is equivalent to the following select statement:
The code is as follows:
select * from users
Yes, the function of this sql statement is to retrieve all fields in the users table
Tip: If you don’t know the function of the single quotes in ' or 1=1#, you can echo the sql statement yourself, and it will be clear at a glance.
You see, a constructed SQL statement can have such terrible destructive power. I believe that after seeing this, you will begin to have a rational understanding of SQL injection~
Yes, SQL injection is that easy. However, it is not so easy to construct flexible SQL statements according to the actual situation. After you have the basics, you can slowly explore on your own.
Have you ever thought about what if the data submitted through the background login window are filtered out by the administrator with special characters? In this case, our universal username' or 1=1# cannot be used. But this does not mean that we have no countermeasures. We must know that there is more than one way for users to interact with the database.
http://www.bkjia.com/PHPjc/727559.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/727559.htmlTechArticleThis article mainly introduces examples of sql injection vulnerabilities in php. Everyone must pay attention to the development of websites during development. Sometimes, for security reasons, it is necessary to filter the characters passed from the page. ...
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
