PHP与SQL注入攻击防范小技巧_php技巧
下面来谈谈SQL注入攻击是如何实现的,又如何防范。
看这个例子:
// supposed input
$name = "ilia'; DELETE FROM users;";
mysql_query("SELECT * FROM users WHERE name='{$name}'");
很明显最后数据库执行的命令是:
SELECT * FROM users WHERE name=ilia; DELETE FROM users
这就给数据库带来了灾难性的后果–所有记录都被删除了。
不过如果你使用的数据库是MySQL,那么还好,mysql_query()函数不允许直接执行这样的操作(不能单行进行多个语句操作),所以你可以放心。如果你使用的数据库是SQLite或者PostgreSQL,支持这样的语句,那么就将面临灭顶之灾了。
上面提到,SQL注入主要是提交不安全的数据给数据库来达到攻击目的。为了防止SQL注入攻击,PHP自带一个功能可以对输入的字符串进行处理,可以在较底层对输入进行安全上的初步处理,也即Magic Quotes。(php.ini magic_quotes_gpc)。如果magic_quotes_gpc选项启用,那么输入的字符串中的单引号,双引号和其它一些字符前将会被自动加上反斜杠\。
但Magic Quotes并不是一个很通用的解决方案,没能屏蔽所有有潜在危险的字符,并且在许多服务器上Magic Quotes并没有被启用。所以,我们还需要使用其它多种方法来防止SQL注入。
许多数据库本身就提供这种输入数据处理功能。例如PHP的MySQL操作函数中有一个叫mysql_real_escape_string()的函数,可将特殊字符和可能引起数据库操作出错的字符转义。
看这段代码:
//如果Magic Quotes功用启用
if (get_magic_quotes_gpc()) {
$name = stripslashes($name);
}else{
$name = mysql_real_escape_string($name);
}
mysql_query("SELECT * FROM users WHERE name='{$name}'");
注意,在我们使用数据库所带的功能之前要判断一下Magic Quotes是否打开,就像上例中那样,否则两次重复处理就会出错。如果MQ已启用,我们要把加上的去掉才得到真实数据。
除了对以上字符串形式的数据进行预处理之外,储存Binary数据到数据库中时,也要注意进行预处理。否则数据可能与数据库自身的存储格式相冲突,引起数据库崩溃,数据记录丢失,甚至丢失整个库的数据。有些数据库如 PostgreSQL,提供一个专门用来编码二进制数据的函数pg_escape_bytea(),它可以对数据进行类似于Base64那样的编码。
如:
// for plain-text data use:
pg_escape_string($regular_strings);
// for binary data use:
pg_escape_bytea($binary_data);
另一种情况下,我们也要采用这样的机制。那就是数据库系统本身不支持的多字节语言如中文,日语等。其中有些的ASCII范围和二进制数据的范围重叠。
不过对数据进行编码将有可能导致像LIKE abc% 这样的查询语句失效。
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
How to use Nginx to protect against LDAP injection attacks
Jun 10, 2023 pm 08:19 PM
With the increase in network security vulnerabilities, LDAP injection attacks have become a security risk faced by many websites. In order to protect website security and prevent LDAP injection attacks, some security measures need to be used. Among them, Nginx, as a high-performance web server and reverse proxy server, can provide us with a lot of convenience and protection. This article will introduce how to use Nginx to prevent LDAP injection attacks. LDAP injection attack LDAP injection attack is an attack method targeting the LDAP database. The attacker
Security risks and prevention methods in Vue projects
Jun 11, 2023 pm 10:10 PM
Vue is a popular JavaScript framework widely used for building single-page applications. When developing a Vue project, security issues are a key issue to pay attention to, because under some improper operations, Vue can become the target of attackers. In this article, we will introduce common security risks in Vue projects and how to prevent them. XSS Attack XSS attack refers to an attacker taking advantage of website vulnerabilities to tamper with user pages or steal information by injecting code. In Vue
Analysis and prevention of typical network application vulnerabilities
Jun 11, 2023 pm 08:36 PM
With the popularization of the Internet, more and more network applications are appearing, and various websites, APPs, small programs, etc. are everywhere. Network applications bring us convenience and entertainment, but they also bring security risks. The existence of network application vulnerabilities can easily be exploited by hackers, leading to security issues such as data leakage, theft of personal information, account theft, and network attacks. This article will start with common network application vulnerabilities, analyze the causes and provide preventive measures. SQL injection vulnerability SQL injection vulnerability is a common vulnerability exploited by hackers to attack databases
PHP security protection: avoid injection attacks
Jun 24, 2023 am 09:22 AM
In today's online world, network security is a major problem. Both individual users and corporate organizations need to pay special attention to the security of network systems. Especially during the development and maintenance of websites, injection attacks are one of the common security vulnerabilities. As a programming language widely used in website development, PHP is even more vulnerable to injection attacks. Therefore, this article will introduce you to PHP security protection methods to avoid injection attacks. What is an injection attack? First of all, injection attacks refer to hackers exploiting vulnerabilities in network systems
How Nginx protects against XML injection attacks
Jun 11, 2023 am 08:20 AM
XML injection attacks are a common form of network attack in which attackers pass maliciously injected XML code to applications to gain unauthorized access or perform malicious operations. Nginx is a popular web server and reverse proxy server that can protect against XML injection attacks in a variety of ways. Filter and validate input All data input to the server, including XML input, should be filtered and validated. Nginx provides some built-in modules that can process requests before proxying them to the backend service.
How to use Nginx to prevent apache flag injection attacks
Jun 10, 2023 pm 03:17 PM
In the field of network security, Apache flag injection attacks are a relatively common attack method. Attackers use certain vulnerabilities or specific HTTP request parameters to forge request headers, thereby tricking the server into performing unexpected operations or executing malicious code. To prevent this attack, we can use Nginx as a reverse proxy server to handle requests. The following describes how to use Nginx to prevent Apache flag injection attacks. Set Nginx reverse proxy Nginx can forward the request when processing the request
Cross-site scripting (XSS) attack prevention in Go: best practices and tips
Jun 17, 2023 pm 12:46 PM
With the rapid development of the Internet, website security issues have become a major problem in the online world. Cross-site scripting (XSS) attack is a common security vulnerability that exploits website weaknesses to inject malicious scripts into web pages to steal and tamper with user information. As an efficient and safe programming language, Go language provides us with powerful tools and techniques to prevent XSS attacks. This article will introduce some best practices and techniques to help Go language developers effectively prevent and resolve XSS attacks. for all inputs
MySql SQL injection attack: how to prevent and solve
Jun 15, 2023 pm 10:16 PM
MySQL is a commonly used relational database. Although it has high security characteristics, it also faces the threat of SQL injection attacks all the time. SQL injection attacks are a common attack method. Hackers will construct malicious SQL query statements to bypass the authentication and authorization of the application, and then obtain or destroy the data in the database. Below, we will introduce SQL injection attacks and how to prevent and resolve such attacks. The principle of SQL injection attack The most basic principle of SQL injection attack is to pass
