. Injection attack when magic_quotes_gpc = off
Magic_quotes_gpc = off is a very unsafe option in the php tutorial. The new version of php has changed the default value to on. But there are still quite a few servers with the option off. After all, no matter how antique the server is, there are still people using it.
When magic_quotes_gpc = on, it will automatically add all '(single quotation marks), "(double numbers), (backslashes), and blank characters in the submitted variables in front. The following is the official version of PHP Description:
The code is as follows:
magic_quotes_gpc boolean
sets the magic_quotes state for gpc (get/post/cookie) operations. when magic_quotes are on, all ' (single-quote), " (double quote), (backslash) and nul's are escaped with a backslash automatically
If there is no escape, that is, in the off case, it will give attackers an opportunity to take advantage. Take the following test script as an example:
The code is as follows:
if ( isset($_post["f_login"] ) )
{
// Tutorial on connecting to database...
//...The code is abbreviated...// Check if the user exists
$t_struname = $_post["f_uname"];
$t_strpwd = $_post["f_pwd"];
$t_strsql = "select * from tbl_users where username='$t_struname' and password = '$t_strpwd' limit 0,1";if ( $t_hres = mysql tutorial_query($t_strsql) )
{
// Processing after successful query. Briefly...
}
}
?>
sample test
In this script, when the user enters a normal username and password, assuming the values are zhang3 and abc123 respectively, the submitted sql statement is as follows:
The code is as follows:
select * from tbl_users
where username='zhang3' and password = 'abc123' limit 0,1
If the attacker enters: zhang3' or 1=1 # in the username field and abc123 in the password field, the submitted sql statement becomes as follows:
The code is as follows:
select * from tbl_users
where username='zhang3' or 1=1 #' and password = 'abc123' limit 0,1
Since # is a comment character in mysql, the statement after # will not be executed. To implement this line of statement, it becomes:
The code is as follows:
select * from tbl_users
where username='zhang3' or 1=1
This allows an attacker to bypass authentication. If the attacker knows the database structure, then it builds a union select, which is even more dangerous:
Suppose you enter in username: zhang3 ' or 1 =1 union select cola, colb,cold from tbl_b #
Enter password: abc123,
Then the submitted sql statement becomes:
The code is as follows:
select * from tbl_users
where username='zhang3 '
or 1 =1 union select cola, colb,cold from tbl_b #' and password = 'abc123' limit 0,1
1 2 3 4