. MAGIC_QUOTES_GPC = injection attack on off
MAGIC_QUOTES_GPC = Off is a very unsafe option in the PHP tutorial. The new version of PHP has changed the default value to ON. However, there are still a considerable number of servers with the option off. After all, the antique server is also used by others.
When MAGIC_QUOTES_GPC = ON, it automatically adds all the "(single quotes)," (double), (backslash), white-space characters in the submitted variable to the front. The following is an official description of PHP:
The code is as follows:
MAGIC_QUOTES_GPC Boolean
Sets the Magic_quotes state for GPC (Get/post/cookie) operations. When magic_quotes are in, all ' (Single-quote), "(double quote), (backslash) and Nul's are escaped with a backslash autom Atically
If there is no escape, that is, off the case, the attacker can take advantage. Take the following test script as an example:
The code is as follows:
?
if (Isset ($_post["F_login"]))
{
Connecting to the Database tutorial ...
// ... Code slightly ...
Check if the user exists
$t _struname = $_post["F_uname"];
$t _strpwd = $_post["F_pwd"];
$t _strsql = "SELECT * from tbl_users where username= ' $t _struname ' and password = ' $t _strpwd ' limit 0,1";
if ($t _hres = mysql Tutorial _query ($t _strsql))
{
Processing after a successful query. Slightly...
}
}
?>
<body>
<form method=post action= "" >
Username: <input type= "text" name= "F_uname" size=30><br>
Password: <input type=text name= "F_pwd" size=30><br>
<input type= "Submit" Name= "F_login" value= "Login" >
</form>
</body>
In this script, when the user enters a normal username and password, assuming the value is Zhang3, abc123, the submitted SQL statement is as follows:
The code is as follows:
SELECT * FROM Tbl_users
where Username= ' zhang3 ' and password = ' abc123 ' limit
If an attacker enters the Zhang3 ' or 1=1 # in the Username field and enters abc123 in password, the submitted SQL statement becomes the following:
The code is as follows:
SELECT * from Tbl_users
where username= ' Zhang3 ' or 1=1 # ' and password = ' abc123 ' limit 0,1
Because # is the annotation character in MySQL, #之后的语句不被执行, the implementation of this line statement becomes:
The code is as follows:
SELECT * from Tbl_users
where username= ' zhang3 ' or 1=1
This will allow the attacker to bypass authentication. If the attacker knew the structure of the database, it would be more dangerous to build a union select:
Suppose to enter in Username: Zhang3 ' or 1 =1 Union select Cola, colb,cold from Tbl_b #
In Password input: abc123,
Then the submitted SQL statement becomes:
The code is as follows:
SELECT * from Tbl_users
where Username= ' Zhang3 '
or 1 =1 Union select Cola, colb,cold from Tbl_b # ' and password = ' abc123 ' limit 0,1