Mining and defense of SQL Injection Vulnerabilities in DVWA Series 6

Mining and defense of SQL Injection Vulnerabilities in DVWA Series 6

Next we will look at the high-level SQL Injection source code.

In addition to the previous mysql_real_escape_string () function, a stripslashes () function is added to it. This function is used to delete the backslash added by the addslashes () function, that is, remove the escape of the addslashes () function.
Why is this operation required? This is because at the high level, the magic_quotes_gpc of PHP is automatically set to on. magic_quotes_gpc is called a magic quotation mark. After it is enabled, you can automatically run the addslashes () function for all the data with GET, POST, and COOKIE values. Therefore, you must use the stripslashes () function to remove the data. The magic_quotes_gpc function has been removed from PHP5.3.0 and 5.4.0. This is why the mysql_real_escape_string () function has been emphasized in DVWA for filtering.
In addition, we can also find that before executing a query, we use the if statement for judgment. The condition is an is_numeric () function, that is, to determine whether the data input by the user is Numeric, as long as it is not a number, an error is reported, so that those and, or, select and other statements cannot be executed.
Finally, when performing a specific query, the $ id is also required to be of the bytes type. After such protection, it is difficult to inject pages.
Therefore, the high Level in DVWA shows us a sample that shows us how to prevent SQL injection at the code level. As to whether the high level can be injected, it is estimated that only those real hackers can do it.
Finally, we will summarize how to prevent SQL injection at the code level.
For numeric injection, you only need to use the if statement and use the is_number () function as the judgment condition to defend against attacks.
For injection of struct type, you only need to filter the variables used to receive USER Parameters Using the mysql_real_escape_string () function.
So how can we mine SQL injection vulnerabilities at the code level?
The primary principle here is that all user input is harmful or Untrusted.
Therefore, you can start from the following aspects:
First, variables in the code that are used to obtain user data include: $ _ GET, $ _ POST, $ _ COOKIE, and $ _ SERVER.
Second, the functions in the code that perform database query operations, such as mysql_query ().
We can search and track these variables and functions in the code to analyze whether there are vulnerabilities.
Here, you can use a software called lightning file search for search and analysis, as shown in.

Select the logon file login of DVWA. php analysis, we can find that the parameter type here is struct, mainly from two aspects to take defense measures: one is to use the mysql_real_escape_string () function for filtering, the other is in mysql_query () the @ symbol is added before the function to suppress error messages. Therefore, this page is relatively secure.