Magic_quote_gpc function on in php. ini

After magic_quote_gpc = on is enabled, the addslshes () and stripslashes () functions can be implemented. In PHP4.0 and later versions, this option is enabled by default, so in PHP4.0 and later versions, even if the parameters in the PHP program are not filtered, the PHP system will also automatically convert every variable passed through GET, POST, and COOKIE methods. In other words, all input injection attack code will be converted, it brings great difficulties to attackers.

Even so, attackers still have the opportunity to launch SQL injection attacks ...... The premise is that when the parameter is numeric, It is not processed by the Intval () function, because after intval () processing, all data will be forcibly converted to numbers.

As mentioned above, after magic_quote_gpc = on is enabled, the addslshes () function is used. However, the numeric type does not use single quotes, so the conversion of the addslshes () function is naturally bypassed. The char () function or HEX () and char () functions provided by MySQL can be used to interpret parameters as integers and return strings consisting of ASCII characters of these integers, in hexadecimal notation, 0x must be added before the number.

Example:

Suppose we know that the Administrator's username is admin and the password is unknown. Magic_quote_gpc has been enabled.

SQL statement:

The Code is as follows:	Copy code
$ SQL = "select * from users where username = $ name and password = '$ pwd '";

Note: The variable $ name is not enclosed in quotation marks.

Enter username = admin % 23 in the address bar, And the merged SQL statement is:

　　

The Code is as follows:	Copy code
Select * from users where username = 'admin' # 'and password = '';

At this time, the single quotation mark (') entered in the url address bar will be added with a backslash, and the SQL statement will be invalid.

After admin is converted to ASCII, It is char (97,100,109,105,110)

Enter

The Code is as follows:	Copy code
Username = char (97,100,109,105,110) % 23

The SQL statement becomes:

　　

The Code is as follows:	Copy code
Select * from users where username = char (97,100,109,105,110) # 'and password = '';

If the execution result is true, you can smoothly enter the background.

For a digital injection attack, you must use intval () to forcibly convert the parameter to a number before any numeric parameter is put into the database, so as to cut off the generation of the Digital Injection Vulnerability.

For example:

The Code is as follows:	Copy code
$ Id = intval ($ _ GET ['id']); Select * from articles where id = '$ id ';

In the address bar, enter:

The Code is as follows:	Copy code
Id = 5' or 1 = 1% 23

The SQL statement is changed:

The Code is as follows:	Copy code
Select * from articles where id = '5 '; Instead of select * from articles where id = '5' or 1 = 1 #;

Summary:

Remember to add single quotes for each variable, such as where username = '$ name ',
Enabling magic_quote_gpc is not absolutely secure. For Digital injection attacks, it is not enough to use the addslashes () function only for conversion. You also need to use intval () to forcibly convert parameters to numbers.