How to prevent injection of MySQL in PHP and a summary of the usage of some anti-injection functions

Simply determine whether there is an injection vulnerability and the principle. The anti-injection code actually comes and goes with those combinations, and then you can adapt it according to your own program code. The important thing is to know the principle, why these characters are filtered, and what harm the characters have.

sql语句如：select  *  from phpben where id = 1

Recommended related mysql video tutorials: "mysql tutorial"

1.mysql injection statement

(1) No user name and password are required

//正常语句
$sql ="select * from phpben where user_name='admin' and pwd ='123'";
//在用户名框输入'or'='or'或 'or 1='1 然后sql如下
$sql ="select * from phpben where user_name=' 'or'='or'' and pwd ='' ";
$sql ="select * from phpben where user_name=' 'or 1='1' and pwd ='' ";

(2) Take advantage of a user without entering a password.

//正常语句
$sql ="select * from phpben where user_name='$username' and pwd ='$pwd'";
//利用的用户名是benwin 则用户名框输入benwin'#  密码有无都可,则$sql变成
$sql ="select * from phpben where user_name=' benwin'#' and pwd ='$pwd'";

This is because one of the annotations in mysql is "#". In the above statement, # has annotated the following content, so the password can be left blank or entered arbitrarily. Some people on the Internet said that "/*" is used to annotate. What the author wants to mention is that when the annotation is only started and not ended with "*/", MySQL will report an error, and it does not say "/**/" cannot be noted, but it is difficult to add "*/" To end the note, there is also "-" that can also be noted in mysql, but please note that there is at least one space after "-", which is "-". Of course, the anti-injection code must take all three into consideration. There are many things worth mentioning. In the anti-injection code, "-" is not considered in the anti-injection range.

(3) Guess a user’s password

//正常语句
$sql ="select * from phpben.com where user_name='$username' and pwd ='$pwd'";
//在密码输入框中输入“benwin' and left(pwd,1)='p'#”，则$sql是
$sql ="select * from phpben.com where user_name=' benwin' and left(pwd,1)='p'#' and pwd ='$pwd'";

(4)Elevate privileges when inserting data

//正常语句，等级为1
$sql = "insert into phpben.com (`user_name`,`pwd`,`level`) values(‘benwin','iampwd',1) ";
//通过修改密码字符串把语句变成
$sql = "insert into phpben.com (`user_name`,`pwd`,`level`) values(‘benwin','iampwd',5)#',1) ";
$sql = "insert into phpben.com (`user_name`,`pwd`,`level`) values(‘benwin','iampwd',5)--  ',1) ";这样就把一个权限为1的用户提权到等级5

(5)Malicious update and deletion

//正常语句
$sql = "update phpben set `user_name` = ‘benwin' where id =1";
//注入后,恶意代码是“1 or id>0”
$sql = "update phpben set `user_name` = ‘benwin' where id =1 or id>0";
//正常语句
$sql = "update phpben set  `user_name` ='benwin' where id=1";
//注入后
$sql = "update phpben set  `user_name` ='benwin' where id>0#' where id=1";
$sql = "update phpben set  `user_name` ='benwin' where id>0-- ' where id=1";

(6) Guess the injection of table information into sql

//正常语句
$sql ="select * from phpben1 where`user_name`='benwin'";
//猜表名，运行正常则说明存在phpben2表
$sql ="select * from phpben1 where`user_name`='benwin' and (select count(*) from phpben2 )>0#' ";
//猜表字段，运行正常则说明phpben2表中有字段colum1
$sql ="select * from phpben1 where`user_name`='benwin' and (select count(colum1) from phpben2 )>0#'";
//猜字段值
$sql ="select * from phpben1 where`user_name`='benwin' and left(pwd,1)='p'#''";

2. Some functions and notes to prevent injection.

(1)addslashes and stripslashes.

Addslashes add slashes "\'", "\"", "\\", "\NULL" to these "'", """, "\", "NULL", and stripslashes do the opposite. , what should be noted here is whether magic_quotes_gpc=ON is turned on in php.ini. If it is turned on, using addslashes will cause duplication. So when using it, you must first get_magic_quotes_gpc() check

(2)mysql_escape_string() and mysql_ real _escape_string()

mysql_real_escape_string Must be used under (PHP 4 >= 4.3.0, PHP 5). Otherwise, you can only use mysql_escape_string

if (PHP_VERSION >= '4.3')
{
$string  =  mysql_real_escape_string($string);
}else
{
$string  =  mysql_escape_string($string );
}

(3) characters to replace functions and matching functions
str_replace() and perg_replace(). The reason why these functions are also mentioned here is because these functions can be used to filter or replace some Sensitive, deadly character.

The above is the detailed content of How to prevent injection of MySQL in PHP and a summary of the usage of some anti-injection functions. For more information, please follow other related articles on the PHP Chinese website!