SQL injection test experience tutorial
Logon Injection
First, let's look at a general logon Page SQL statement (the SQL statement executed by the original ecology php)
$ SQL = "select * from users where username = '$ username' and password =' $ password '";
For such SQL statements, the password and user name can be 10 thousand characters:
Universal password: xx' or 1 = '1
Universal User name: xx 'Union select * from users /*
Mysql is interpreted:
$ SQL = select * from users where username = '$ username' and password = 'xx' or 1 = '1'
No explanation, instant cracking
Similarly, the input values after fields are queried in SQL statements are enclosed in single quotes. In some cases, especially for junior programmers, variables are not enclosed in single quotes:
$ SQL = "select * from users where username = $ username and password = $ password ";
In this case, mysql will be interpreted as a numeric field for matching.
Universal password: 11 union select * from users /*
Execute the statement:
Select * from users where username = 11 union select * from users/* and password = 54
Query Injection
This is easy to understand. When you click a button in the search box on the page to search, you may use like in the background SQL. However, if no processing is added, you may enter % or _ to inject it into SQL to query all or part of the records. However, you can use a function in php to handle it:
$ Keyword = addslashes ($ keyword); $ keword = str_replace ("%", "\ $", $ kwyword );
Insert Injection
We first simulate an SQL statement on the website registration page:
Insert into users (username, password, grade) values ('frank', '000000', '1 ');
If grade is a level field in the users table and the default field is 1, after the user enters the username and password fields during registration, the insert statement in the background is the preceding statement, when the password entered by the user is 123456 ', '3')/*, run the SQL statement:
Insert into users (username, password, grade) values ('frank', '000000', '3')/*, '1 ';
This can also achieve the purpose of injection.
Solve SQL injection:
① Set magic_quotes_gpc in the php. ini configuration file On the server
The server automatically escapes single quotes :\'
However, you can write single quotes as char (13)-single quotes ASCII code during attacks.
②. Password comparison
Obtain the password by entering the user name, and then match the password
$ SQL = "select * from users where username = 'frank '"
$ Result = mysql_query ($ SQL, $ conn );
$ Row = mysql_fetch_array ($ result );
If ($ row ['Password']! = $ Password )...
③ Use pdo: prepare () preprocessing of PDO
The PDO (PHP Data Object) extension is added to PHP5. PHP6 identifies PDO connections to the database by default. pdo is equivalent to a database abstraction layer. Different databases use the same method name, solve the problem that the database connection does not agree.
The working principle is as follows:
(You must first enable support for pdo extensions in php. ini)
$ SQL = "select * from users where username =? And password =? "; // Create a pdo object $ mypdo = new PDO (" mysql: host = localhost; port = 3306; dbname = xx "," root "," 123456 "); // set the encoding $ mypdo-> exec ("set names utf8"); // preprocessing $ SQL $ pdostatement = $ mypdo-> prepare (% SQL ); // enter the user name and password in SQL $ pdostatement-> execute (array ($ username, $ password); // obtain the query result $ result = $ pdostatement-> fetch (); if (empty ($ result ))...
④. Other enterprise-level SQL Injection solutions: IDS (Intrusion Detection System)
SQL injection is mainly used by development engineers to improve the awareness of writing security code, so that we can write code with higher quality and better security.