SQL Injection Test Experience Tutorial

Login Injection

First look at one of our general login page SQL statements (original eco PHP executed SQL)

$sql = "SELECT * from users where username = ' $username ' and password = ' $password '";

For this SQL, it corresponds to a universal password and username:

Universal Password: xx ' or 1 = ' 1

Universal Username: xx ' Union SELECT * FROM users/*

When executed, MySQL is interpreted as:

$sql = select * from users where username = ' $username ' and password = ' xx ' or ' 1 = ' 1 '

Don't explain, instantly cracked

Again, the above is a single quotation mark for the input value after the query field in the SQL statement, and sometimes the novice programmer often does not add single quotes to the variable:

$sql = "SELECT * from users where username = $username and password = $password";

Then the MySQL explanation will be used as a numeric field to match

Universal Password: Union SELECT * FROM users/*

Execute statement:

SELECT * from the users where username =11union select * from users/* and password = 54

Query injection

This is better to understand, generally in the Page search box click button Search in the background SQL may use like to query, but without any processing, may enter a% or __ will inject into the SQL query all or part of the record, but in PHP can use a function to deal with:

$keyword = Addslashes ($keyword); $keword = Str_replace ("%", "$", $kwyword);

Insert Injection

We first simulate the SQL processing statement for a Web site registration page:

Insert into users (Username,password,grade) VALUES (' Frank ', ' 123456 ', ' 1 ');

If the users table is grade as a rank field, and the default field is 1, when the user enters the user name and password two fields at registration, the background INSERT statement is the above statement, and when the user enters the password of 123456 ', ' 3 ', execute SQL as:

Insert into users (Username,password,grade) VALUES (' Frank ', ' 123456 ', ' 3 ')/*, ' 1 ';

This can also achieve the purpose of injection

Resolve SQL injection:

①. Set the MAGIC_QUOTES_GPC in the php.ini configuration file to on in the server settings

The server automatically escapes the single quotation mark as: '

However, when attacking, you can write single quotes as char (13)-Single quote ASCII, and you can also attack

②. Password comparison pair

Get the password by entering the username and then match the password

$sql = "SELECT * from users where username = ' Frank '"

$result = mysql_query ($sql, $conn);

$row = Mysql_fetch_array ($result);

if ($row [' Password ']!= $password) ...

③. PDO using PDO::p Repare () preprocessing operations

PDO (PHP Data Object) extension is added in PHP5, PHP6 the default identification PDO connection database, PDO is equivalent to a database abstraction layer, different databases using the same method name, to resolve the database connection does not agree with the problem.

The working principle is as follows:

(You need to open support for PDO extensions in php.ini first)

$sql = "SELECT * from Users where username=?" and password=? "; Create a PDO object $mypdo = new PDO ("Mysql:host=localhost;port=3306;dbname=xx", "root", "123456"); Set the encoding $mypdo->exec ("Set names UTF8"); pretreatment $sql $pdostatement = $mypdo->prepare (%sql); Populate the SQL $pdostatement->execute ($username, $password) with the username and password; Get the result of the query $result = $pdostatement->fetch (); if (empty ($result)) ...

④. Other enterprise-class solution SQL injection mode: IDS (Intrusion detection System)

With regard to SQL injection for development engineers, the main defense, improve the awareness of writing security code, let us write code of higher quality, better security.