细谈php中SQL注入攻击与XSS攻击_PHP
例如: SQL注入攻击
XSS攻击
复制代码 代码如下:
任意执行代码
文件包含以及CSRF.
}
关于SQL攻击有很多文章还有各种防注入脚本,但是都不能解决SQL注入的根本问题
见代码:
复制代码 代码如下:
mysql_connect("localhost","root","123456")or die("数据库连接失败!");
mysql_select_db("test1");
$user=$_post['uid'];
$pwd=$_POST['pass'];
if(mysql_query("SELECT * from where
admin
= `username`='$user' or `password`='$pwd'"){
echo "用户成功登陆..";
} eles {
echo "用户名或密码出错";
}
?>
很简单的一段代码,功能是用于检测用户名或密码是否正确,可是在一些恶意攻击者中提交一些敏感代码.后果可想而知.. post判断注入的方式有2种。
1.在form表单的文本框输入 "or‘1'=1"或者"and 1=1"
在查询数据库的语句就应该是:
SELECT admin from where login = `user`=''or‘1'=1' or `pass`=‘xxxx'
当然也不会出现什么错误,因为or在sql的语句中代表和,或的意思。当然也会提示错误。
当时我们已经发现了可以执行SQL语句之后就可以查询当前表的所有信息。例如:正确的管理员账户和密码进行登录入侵。。
修复方式1:
使用javascript脚本过滤特殊字符(不推荐,指标不治本)
如果攻击者禁用了javascript还是可以进行SQL注入攻击。。
修复方式2:
使用mysql的自带函数进行过滤。
见代码:
复制代码 代码如下:
// 省略连接数据库等操作。。
$user=mysql_real_escape_string($_POST['user']);
mysql_query("select * from admin whrer `username`='$user'");
?>
既然前面说道了xss攻击,我们再来说说XSS攻击以及防范吧。。
提交表单:
复制代码 代码如下:
接收文件:
复制代码 代码如下:
if(empty($_POST['sub'])){
echo $_POST['test'];
}
很简单的一段代码,在这里只是模拟了下使用场景..
加入攻击者提交
<script>alert(document.cookie);</script>
在返回的页面就应该显示当前页面的cookie信息。
我们可以运用到某些留言板上(提前是没过滤的),然后当管理员审核改条信息时盗取COOKIE信息,并发送到攻击者的空间或者邮箱。。攻击者可以使用cookie修改器进行登陆入侵了。。
当然解决方案也有很多。。下面就介绍一个最常用的方式吧。
修复方案1:使用javascript进行转义
修复方案2:使用php内置函数进行转义
代码如下:
[code]
if(empty($_POST['sub'])){
$str=$_POST['test'];
htmlentities($srt);
echo $srt;
}
[html]
好了,关于SQL注入攻击和XSS攻击的案例与修复方法就讲的差不多了。
当然还有其他的解决方法:
例如:使用php框架
还有其他的一些方法。。当然了,XSS的运用范围与攻击方式很多也很广。本文只针对php的提交方式进行过滤,还有其他的需要自己去研究 ^_^~
此文出此:Aey uhost team(team.hake.cc),转载请带上版权。
y0umer
2012/6/7
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
How to protect against cross-site scripting (XSS) attacks using PHP
Jun 29, 2023 am 10:46 AM
How to Use PHP to Defend Cross-Site Scripting (XSS) Attacks With the rapid development of the Internet, Cross-SiteScripting (XSS) attacks are one of the most common network security threats. XSS attacks mainly achieve the purpose of obtaining user sensitive information and stealing user accounts by injecting malicious scripts into web pages. To protect the security of user data, developers should take appropriate measures to defend against XSS attacks. This article will introduce some commonly used PHP technologies to defend against XSS attacks.
How to use PDO preprocessing to prevent SQL injection attacks
Jul 28, 2023 pm 11:18 PM
How to use PDO preprocessing to prevent SQL injection attacks Introduction: During web development, we often need to interact with the database. However, incorrect database query operations may lead to serious security risks, and one of the most widely exploited attack methods is SQL injection attacks. In order to prevent SQL injection attacks, PDO provides a preprocessing mechanism. This article will introduce how to use PDO preprocessing correctly. What is a SQL injection attack: SQL injection is an attack technique against the database. The attacker uses
How to prevent SQL injection attacks?
May 13, 2023 am 08:15 AM
With the popularity of the Internet and the continuous expansion of application scenarios, we use databases more and more often in our daily lives. However, database security issues are also receiving increasing attention. Among them, SQL injection attack is a common and dangerous attack method. This article will introduce the principles, harms and how to prevent SQL injection attacks. 1. Principle of SQL injection attack SQL injection attack generally refers to the behavior of hackers executing malicious SQL statements in applications by constructing specific malicious input. These behaviors sometimes lead to
How do XSS vulnerabilities work?
Feb 19, 2024 pm 07:31 PM
What is the principle of XSS attack? Specific code examples are needed. With the popularity and development of the Internet, the security of Web applications has gradually become the focus of attention. Among them, Cross-SiteScripting (XSS for short) is a common security vulnerability that web developers must pay attention to. XSS attacks are performed by injecting malicious script code into a Web page and executing it in the user's browser. This allows the attacker to control the user's browser and obtain the user's sensitive information.
Preventing SQL Injection Attacks: Security Strategies to Protect Java Application Databases
Jun 30, 2023 pm 10:21 PM
Database Security: Strategies to Protect Java Applications from SQL Injection Attacks Summary: With the development of the Internet, Java applications play an increasingly important role in our lives and work. However, at the same time, database security issues have become increasingly prominent. SQL injection attacks are one of the most common and devastating database security vulnerabilities. This article will introduce some strategies and measures to protect Java applications from the threat of SQL injection attacks. Part 1: What is a SQL injection attack? SQL injection
PHP data filtering: preventing XSS and CSRF attacks
Jul 29, 2023 pm 03:33 PM
PHP Data Filtering: Preventing XSS and CSRF Attacks With the development of the Internet, network security has become one of the focuses of people's attention. In website development, it is very important to filter and verify user-submitted data, especially to prevent XSS (cross-site scripting attacks) and CSRF (cross-site request forgery attacks) attacks. This article will introduce how to use PHP to prevent these two common security vulnerabilities and provide some sample code for reference. Preventing XSS attacks XSS attacks refer to malicious attackers injecting malicious scripts or codes to tamper with
PHP Database Connection Security: Ways to Prevent SQL Injection Attacks
Sep 09, 2023 am 10:41 AM
PHP Database Connection Security: Methods to Prevent SQL Injection Attacks Introduction: In the process of developing web applications, the database is one of the very important components. However, incorrect or insecure database connections may allow malicious users to conduct SQL injection attacks, which will seriously threaten the security of our applications. In order to protect the application from SQL injection attacks, we need to take some security measures. This article will introduce some commonly used PHP database connection security methods and give corresponding code examples. 1. to make
Common network security issues and solutions in Java development
Oct 09, 2023 pm 06:36 PM
Summary of common network security issues and solutions in Java development: With the popularization of the Internet, network security issues have become increasingly prominent. During Java development, we need to consider how to protect the security of network communications. This article will introduce some common network security problems and provide corresponding solutions and code examples. 1. Cross-site scripting attack (XSS) XSS attack refers to an attack method that obtains user sensitive information by injecting malicious scripts into web pages. To prevent XSS attacks, we can use regular input checking
