在PHP中全面阻止SQL注入式 攻击之二(2)_MySQL
bitsCN.com
net/sqlite)情况更为可怕,由于其易于使用而吸引了大量用户的关注。在有些情况下,SQLite缺省地允许这样的多指令查询,因为该数据库可以优化批查询,特别是非常有效的批INSERT语句处理。然而,如果查询的结果为你的脚本所使用的话(例如在使用一个SELECT语句检索记录的情况下),sqlite_query()函数却不会允许执行多个查询。
三、 INVISION Power BOARD SQL注入脆弱性
Invision Power Board是一个著名的论坛系统。2005年五月6号,在登录代码中发现了一处SQL注入脆弱性。其发现者为GulfTech Security Research的James Bercegay。
这个登录查询如下所示:
$DB->query("SELECT * FROM ibf_members WHERE id=$mid AND password='$pid'");
其中,成员ID变量$mid和口令ID变量$pid被使用下面两行代码从my_cookie()函数中检索出:
$mid = intval($std->my_getcookie('member_id'));
$pid = $std->my_getcookie('pass_hash');
在此,my_cookie()函数使用下列语句从cookie中检索要求的变量:
return urldecode($_COOKIE[$ibforums->vars['cookie_id'].$name]);
【注意】从该cookie返回的值根本没有被处理。尽管$mid在使用于查询之前被强制转换成一个整数,但是$pid却保持不变。因此,它很容易遭受我们前面所讨论的注入类型的攻击。
因此,通过以如下方式修改my_cookie()函数,这种脆弱性就会暴露出来:
if ( ! in_array( $name,array('topicsread', 'forum_read','collapseprefs') ) )
{
return $this->
clean_value(urldecode($_COOKIE[$ibforums->vars['cookie_id'].$name]));
}
else
{
return urldecode($_COOKIE[$ibforums->vars['cookie_id'].$name]);
}
经过这样的改正之后,其中的关键变量在"通过"全局clean_value()函数后被返回,而其它变量却未进行检查。
现在,既然我们大致了解了什么是SQL注入,它的注入原理以及这种注入的脆弱程度,那么接下来,让我们探讨如何有效地预防它。幸好,PHP为我们提供了丰富的资源,因此我们有充分的信心预言,一个经仔细地彻底地使用我们所推荐的技术构建的应用程序将会从你的脚本中根本上消除任何可能性的SQL注入-通过在它可能造成任何损坏之前"清理"你的用户的数据来实现。
四、 界定你的查询中的每一个值
我们推荐,你确保界定了你的查询中的每一个值。字符串值首当其冲,以及那些你通常期望应该使用"单"(而不是"双")引号的内容。一方面,如果你使用双引号来允许PHP在字符串内的变量替代,这样可以使得输入查询更为容易些;另一方面,这(无可否认,只是极少量地)也会减少以后PHP代码的分析工作。
下面,让我们使用我们一开始使用的那个非注入式查询来说明这个问题:
SELECT * FROM wines WHERE variety = 'lagrein'
或以PHP语句表达为:
$query = "SELECT * FROM wines WHERE variety = '$variety'";
从技术上讲,引号对于数字值来说是不需要使用的。但是,如果你并不介意用引号把例如葡萄酒这样的一个域相应的一个值括起来并且如果你的用户把一个空值输入到你的表单中的话,那么,你会看到一个类似下面的查询:
SELECT * FROM wines WHERE vintage =
当然,这个查询从语法上讲是无效的;但是,下面的语法却是有效的:
SELECT * FROM wines WHERE vintage = ''
第二个查询将(大概)不会返回任何果,但是至少它不会返回一个错误消息。
五、 检查用户提交的值的类型
从前面的讨论中我们看到,迄今为止,SQL注入的主要来源往往出在一个意料之外的表单入口上。然而,当你经由一个表单向用户提供机会提交某些值时,你应该有相当的优势来确定你想取得什么样的输入内容-这可以使得我们比较容易地检查用户入口的有效性。在以前的文章中,我们已经讨论过这样的校验问题;所以,在此,我们仅简单地总结当时我们讨论的要点。如果你正在期望一个数字,那么你可以使用下面这些技术之一来确保你得到的真正是一个数字类型:
bitsCN.com
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
How to use Xiaohongshu account to find users? Can I find my mobile phone number?
Mar 22, 2024 am 08:40 AM
With the rapid development of social media, Xiaohongshu has become one of the most popular social platforms. Users can create a Xiaohongshu account to show their personal identity and communicate and interact with other users. If you need to find a user’s Xiaohongshu number, you can follow these simple steps. 1. How to use Xiaohongshu account to find users? 1. Open the Xiaohongshu APP, click the "Discover" button in the lower right corner, and then select the "Notes" option. 2. In the note list, find the note posted by the user you want to find. Click to enter the note details page. 3. On the note details page, click the "Follow" button below the user's avatar to enter the user's personal homepage. 4. In the upper right corner of the user's personal homepage, click the three-dot button and select "Personal Information"
Log in to Ubuntu as superuser
Mar 20, 2024 am 10:55 AM
In Ubuntu systems, the root user is usually disabled. To activate the root user, you can use the passwd command to set a password and then use the su- command to log in as root. The root user is a user with unrestricted system administrative rights. He has permissions to access and modify files, user management, software installation and removal, and system configuration changes. There are obvious differences between the root user and ordinary users. The root user has the highest authority and broader control rights in the system. The root user can execute important system commands and edit system files, which ordinary users cannot do. In this guide, I'll explore the Ubuntu root user, how to log in as root, and how it differs from a normal user. Notice
How to check your academic qualifications on Xuexin.com
Mar 28, 2024 pm 04:31 PM
How to check my academic qualifications on Xuexin.com? You can check your academic qualifications on Xuexin.com, but many users don’t know how to check their academic qualifications on Xuexin.com. Next, the editor brings you a graphic tutorial on how to check your academic qualifications on Xuexin.com. Interested users come and take a look! Xuexin.com usage tutorial: How to check your academic qualifications on Xuexin.com 1. Xuexin.com entrance: https://www.chsi.com.cn/ 2. Website query: Step 1: Click on the Xuexin.com address above to enter the homepage Click [Education Query]; Step 2: On the latest webpage, click [Query] as shown by the arrow in the figure below; Step 3: Then click [Login Academic Credit File] on the new page; Step 4: On the login page Enter the information and click [Login];
12306 How to check historical ticket purchase records How to check historical ticket purchase records
Mar 28, 2024 pm 03:11 PM
Download the latest version of 12306 ticket booking app. It is a travel ticket purchasing software that everyone is very satisfied with. It is very convenient to go wherever you want. There are many ticket sources provided in the software. You only need to pass real-name authentication to purchase tickets online. All users You can easily buy travel tickets and air tickets and enjoy different discounts. You can also start booking reservations in advance to grab tickets. You can book hotels or special car transfers. With it, you can go where you want to go and buy tickets with one click. Traveling is simpler and more convenient, making everyone's travel experience more comfortable. Now the editor details it online Provides 12306 users with a way to view historical ticket purchase records. 1. Open Railway 12306, click My in the lower right corner, and click My Order 2. Click Paid on the order page. 3. On the paid page
Analysis of user password storage mechanism in Linux system
Mar 20, 2024 pm 04:27 PM
Analysis of user password storage mechanism in Linux system In Linux system, the storage of user password is one of the very important security mechanisms. This article will analyze the storage mechanism of user passwords in Linux systems, including the encrypted storage of passwords, the password verification process, and how to securely manage user passwords. At the same time, specific code examples will be used to demonstrate the actual operation process of password storage. 1. Encrypted storage of passwords In Linux systems, user passwords are not stored in the system in plain text, but are encrypted and stored. L
How to check the activation date on Apple mobile phone
Mar 08, 2024 pm 04:07 PM
If you want to check the activation date using an Apple mobile phone, the best way is to check it through the serial number in the mobile phone. You can also check it by visiting Apple's official website, connecting it to a computer, and downloading third-party software to check it. How to check the activation date of Apple mobile phone Answer: Serial number query, Apple official website query, computer query, third-party software query 1. The best way for users is to know the serial number of their mobile phone. You can see the serial number by opening Settings, General, About This Machine. . 2. Using the serial number, you can not only know the activation date of your mobile phone, but also check the mobile phone version, mobile phone origin, mobile phone factory date, etc. 3. Users visit Apple's official website to find technical support, find the service and repair column at the bottom of the page, and check the iPhone activation information there. 4. User
How to use Oracle to query whether a table is locked?
Mar 06, 2024 am 11:54 AM
Title: How to use Oracle to query whether a table is locked? In Oracle database, table lock means that when a transaction is performing a write operation on the table, other transactions will be blocked when they want to perform write operations on the table or make structural changes to the table (such as adding columns, deleting rows, etc.). In the actual development process, we often need to query whether the table is locked in order to better troubleshoot and deal with related problems. This article will introduce how to use Oracle statements to query whether a table is locked, and give specific code examples. To check whether the table is locked, we
Comparison of similarities and differences between MySQL and PL/SQL
Mar 16, 2024 am 11:15 AM
MySQL and PL/SQL are two different database management systems, representing the characteristics of relational databases and procedural languages respectively. This article will compare the similarities and differences between MySQL and PL/SQL, with specific code examples to illustrate. MySQL is a popular relational database management system that uses Structured Query Language (SQL) to manage and operate databases. PL/SQL is a procedural language unique to Oracle database and is used to write database objects such as stored procedures, triggers and functions. same
