php中sql注入漏洞示例 sql注入漏洞修复

Home

Backend Development

PHP Tutorial

php中sql注入漏洞示例 sql注入漏洞修复_php实例

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

May 17, 2016 am 08:50 AM

sql injection SQL injection vulnerability repair

在开发网站的时候，出于安全考虑，需要过滤从页面传递过来的字符。通常，用户可以通过以下接口调用数据库的内容：URL地址栏、登陆界面、留言板、搜索框等。这往往给骇客留下了可乘之机。轻则数据遭到泄露，重则服务器被拿下。

一、SQL注入的步骤

a) 寻找注入点(如：登录界面、留言板等)

b) 用户自己构造SQL语句(如：' or 1=1#，后面会讲解)

c) 将sql语句发送给数据库管理系统(DBMS)

d) DBMS接收请求，并将该请求解释成机器代码指令，执行必要的存取操作

e) DBMS接受返回的结果，并处理，返回给用户

因为用户构造了特殊的SQL语句，必定返回特殊的结果(只要你的SQL语句够灵活的话)。

下面，我通过一个实例具体来演示下SQL注入

二、SQL注入实例详解(以上测试均假设服务器未开启magic_quote_gpc)

1) 前期准备工作

先来演示通过SQL注入漏洞，登入后台管理员界面

首先，创建一张试验用的数据表：

复制代码代码如下:

CREATETABLE `users` (

`id`int(11) NOT NULL AUTO_INCREMENT,

`username`varchar(64) NOT NULL,

`password`varchar(64) NOT NULL,

`email`varchar(64) NOT NULL,

PRIMARYKEY (`id`),

UNIQUEKEY `username` (`username`)

)ENGINE=MyISAM AUTO_INCREMENT=3 DEFAULT CHARSET=latin1;

添加一条记录用于测试：

复制代码代码如下:

INSERTINTO users (username,password,email)

VALUES('MarcoFly',md5('test'),'marcofly@test.com');

接下来，贴上登录界面的源代码：

复制代码代码如下:

Sql注入演示

    Sql注入演示

用户名：

密  码：

当用户点击提交按钮的时候，将会把表单数据提交给validate.php页面，validate.php页面用来判断用户输入的用户名和密码有没有都符合要求(这一步至关重要，也往往是SQL漏洞所在)

代码如下：

复制代码代码如下:

登录验证

$conn=@mysql_connect("localhost",'root','')or die("数据库连接失败！");;

mysql_select_db("injection",$conn) or die("您要选择的数据库不存在");

$name=$_POST['username'];

$pwd=$_POST['password'];

$sql="select * from users where username='$name' andpassword='$pwd'";

$query=mysql_query($sql);

$arr=mysql_fetch_array($query);

if(is_array($arr)){

header("Location:manager.php");

}else{

echo "您的用户名或密码输入有误，请重新登录！";

}

注意到了没有，我们直接将用户提交过来的数据(用户名和密码)直接拿去执行，并没有实现进行特殊字符过滤，待会你们将明白，这是致命的。
代码分析：如果，用户名和密码都匹配成功的话，将跳转到管理员操作界面(manager.php)，不成功，则给出友好提示信息。
到这里，前期工作已经做好了，接下来将展开我们的重头戏：SQL注入

2) 构造SQL语句

填好正确的用户名(marcofly)和密码(test)后，点击提交，将会返回给我们“欢迎管理员”的界面。

因为根据我们提交的用户名和密码被合成到SQL查询语句当中之后是这样的：

复制代码代码如下:

select * from users where username='marcofly' andpassword=md5('test')

很明显，用户名和密码都和我们之前给出的一样，肯定能够成功登陆。但是，如果我们输入一个错误的用户名或密码呢?很明显，肯定登入不了吧。恩，正常情况下是如此，但是对于有SQL注入漏洞的网站来说，只要构造个特殊的“字符串”，照样能够成功登录。

比如：在用户名输入框中输入:' or 1=1#,密码随便输入，这时候的合成后的SQL查询语句为：

复制代码代码如下:

select * from users where username='' or 1=1#' and password=md5('')

语义分析：“#”在mysql中是注释符，这样井号后面的内容将被mysql视为注释内容，这样就不会去执行了，换句话说，以下的两句sql语句等价：

复制代码代码如下:

select * from users where username='' or 1=1#' and password=md5('')

等价于

复制代码代码如下:

select *from users where username='' or 1=1

因为1=1永远是都是成立的，即where子句总是为真，将该sql进一步简化之后，等价于如下select语句：

复制代码代码如下:

select * from users

没错，该sql语句的作用是检索users表中的所有字段
小技巧：如果不知道' or 1=1#中的单引号的作用，可以自己echo 下sql语句，就一目了然了。
看到了吧，一个经构造后的sql语句竟有如此可怕的破坏力，相信你看到这后，开始对sql注入有了一个理性的认识了吧~
没错，SQL注入就是这么容易。但是，要根据实际情况构造灵活的sql语句却不是那么容易的。有了基础之后，自己再去慢慢摸索吧。
有没有想过，如果经由后台登录窗口提交的数据都被管理员过滤掉特殊字符之后呢?这样的话，我们的万能用户名' or 1=1#就无法使用了。但这并不是说我们就毫无对策，要知道用户和数据库打交道的途径不止这一条。

Statement of this Website

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Hot AI Tools

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress images for free

Clothoff.io

AI clothes remover

AI Hentai Generator

Generate AI Hentai for free.

Hot Article

R.E.P.O. Energy Crystals Explained and What They Do (Yellow Crystal)

2 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

Hello Kitty Island Adventure: How To Get Giant Seeds

1 months ago By 尊渡假赌尊渡假赌尊渡假赌

How Long Does It Take To Beat Split Fiction?

4 weeks ago By DDD

R.E.P.O. Save File Location: Where Is It & How to Protect It?

4 weeks ago By DDD

Two Point Museum: All Exhibits And Where To Find Them

1 months ago By 尊渡假赌尊渡假赌尊渡假赌

Hot Tools

Notepad++7.3.1

Easy-to-use and free code editor

SublimeText3 Chinese version

Chinese version, very easy to use

Zend Studio 13.0.1

Powerful PHP integrated development environment

Dreamweaver CS6

Visual web development tools

SublimeText3 Mac version

God-level code editing software (SublimeText3)

Hot Topics

Where is the login entrance for gmail email?

7375

Java Tutorial

1628

CakePHP Tutorial

1355

Laravel Tutorial

1267

PHP Tutorial

1216

Related knowledge

How to use exp for SQL error injection May 12, 2023 am 10:16 AM

0x01 Preface Overview The editor discovered another Double data overflow in MySQL. When we get the functions in MySQL, the editor is more interested in the mathematical functions. They should also contain some data types to save values. So the editor ran to test to see which functions would cause overflow errors. Then the editor discovered that when a value greater than 709 is passed, the function exp() will cause an overflow error. mysql>selectexp(709);+-----------------------+|exp(709)|+---------- ------------+|8.218407461554972

Nginx basic security knowledge: preventing SQL injection attacks Jun 10, 2023 pm 12:31 PM

Nginx is a fast, high-performance, scalable web server, and its security is an issue that cannot be ignored in web application development. Especially SQL injection attacks, which can cause huge damage to web applications. In this article, we will discuss how to use Nginx to prevent SQL injection attacks to protect the security of web applications. What is a SQL injection attack? SQL injection attack is an attack method that exploits vulnerabilities in web applications. Attackers can inject malicious code into web applications

PHP Programming Tips: How to Prevent SQL Injection Attacks Aug 17, 2023 pm 01:49 PM

PHP Programming Tips: How to Prevent SQL Injection Attacks Security is crucial when performing database operations. SQL injection attacks are a common network attack that exploit an application's improper handling of user input, resulting in malicious SQL code being inserted and executed. To protect our application from SQL injection attacks, we need to take some precautions. Use parameterized queries Parameterized queries are the most basic and most effective way to prevent SQL injection attacks. It works by comparing user-entered values with a SQL query

Detection and repair of PHP SQL injection vulnerabilities Aug 08, 2023 pm 02:04 PM

Overview of detection and repair of PHP SQL injection vulnerabilities: SQL injection refers to an attack method in which attackers use web applications to maliciously inject SQL code into the input. PHP, as a scripting language widely used in web development, is widely used to develop dynamic websites and applications. However, due to the flexibility and ease of use of PHP, developers often ignore security, resulting in the existence of SQL injection vulnerabilities. This article will introduce how to detect and fix SQL injection vulnerabilities in PHP and provide relevant code examples. check

How to prevent SQL injection attacks using PHP Jun 24, 2023 am 10:31 AM

In the field of network security, SQL injection attacks are a common attack method. It exploits malicious code submitted by malicious users to alter the behavior of an application to perform unsafe operations. Common SQL injection attacks include query operations, insert operations, and delete operations. Among them, query operations are the most commonly attacked, and a common method to prevent SQL injection attacks is to use PHP. PHP is a commonly used server-side scripting language that is widely used in web applications. PHP can be related to MySQL etc.

Laravel Development Notes: Methods and Techniques to Prevent SQL Injection Nov 22, 2023 pm 04:56 PM

Laravel Development Notes: Methods and Techniques to Prevent SQL Injection With the development of the Internet and the continuous advancement of computer technology, the development of web applications has become more and more common. During the development process, security has always been an important issue that developers cannot ignore. Among them, preventing SQL injection attacks is one of the security issues that requires special attention during the development process. This article will introduce several methods and techniques commonly used in Laravel development to help developers effectively prevent SQL injection. Using parameter binding Parameter binding is Lar

PHP form filtering: SQL injection prevention and filtering Aug 07, 2023 pm 03:49 PM

PHP form filtering: SQL injection prevention and filtering Introduction: With the rapid development of the Internet, the development of Web applications has become more and more common. In web development, forms are one of the most common ways of user interaction. However, there are security risks in the processing of form submission data. Among them, one of the most common risks is SQL injection attacks. A SQL injection attack is an attack method that uses a web application to improperly process user input data, allowing the attacker to perform unauthorized database queries. The attacker passes the

Strategies to deal with SQL injection vulnerabilities in PHP Aug 09, 2023 pm 03:09 PM

SQL injection is a common network attack method that uses the application's imperfect processing of input data to successfully inject malicious SQL statements into the database. This attack method is particularly common in applications developed using the PHP language, because PHP's handling of user input is usually relatively weak. This article will introduce some strategies for dealing with SQL injection vulnerabilities and provide PHP code examples. Using prepared statements Prepared statements are a recommended way to defend against SQL injection. It uses binding parameters to combine input data with

See all articles

用户名：
密码：