By enabling the relevant options in the PHP.ini configuration file, the majority of hackers who want to take advantage of SQL injection vulnerabilities can be turned down outside the door.
After opening the Magic_quote_gpc=on, the functions of the addslshes () and stripslashes () functions are realized. In PHP4.0 and above, this option is turned on by default, so in PHP4.0 and above versions, even if the parameters in the PHP program are not filtered, the PHP system automatically converts to every variable passed by GET, POST, cookie, in other words, The injected attack code entered will all be converted, causing great difficulty to the attacker.
Nonetheless, the attacker still had the opportunity to perform a SQL injection attack ... The premise is that when the parameter is numeric and not processed by the intval () function, because after the processing of intval (), all data is coerced into numbers.
As mentioned earlier, when Magic_quote_gpc=on is turned on, it is equivalent to using the Addslshes () function. But the numeric type does not use single quotes, so it's a matter of course to bypass the addslshes () function conversion. Using MySQL's own char () function or hex (), char () can interpret parameters as integers and return a string of ASCII code characters for these integers, which means that you must precede the number with 0x.
Example Demo:
Suppose we know that the admin username is admin and the password is not known. And the MAGIC_QUOTE_GPC has been enabled.
SQL statement: $sql = "SELECT * from Users where username= $name and password= ' $pwd '"; Note: variable $name without quotes
At this point, enter username=admin%23 in the Address bar, and the synthesized SQL statement is:
SELECT * from users where username= ' admin\ ' and password= ';
The single quotation mark (') entered through the URL address bar will be prefixed with a backslash, which will invalidate the SQL statement.
Admin converted to ASCII is char (97,100,109,105,110)
At this point, enter Username=char (97,100,109,105,110) in the address bar%23
The SQL statement becomes:
SELECT * from Users where Username=char (97,100,109,105,110) # ' and password= ';
The results of the implementation of the true, you can smoothly into the background.
For a digital injection attack, it is necessary to use Intval () to cast the parameter to a number before any numeric parameter is put into the database, thus eliminating the emergence of a digital injection vulnerability.
For example: $id =intval ($_get[' id '));
SELECT * from articles where id= ' $id ';
Enter the Address bar: id=5 ' or 1=1%23
The SQL statement becomes: SELECT * from articles where id= ' 5 ';
Instead of the select * from articles where id= ' 5 ' or 1=1#;
Summarize:
For each variable, remember to enclose a single quote, such as where username= ' $name ',
Opening MAGIC_QUOTE_GPC is not absolutely safe, and for digital injection attacks it is not enough to use the addslashes () function to convert the parameter to a number by using Intval ()
How to prevent SQL injection attacks
method One: password comparison pair
Thinking: First, the user entered the user name to query the database, get the user name in the database corresponding password, and then the query from the database password and user submitted over the password to carry out the match.
Code:
Copy Code code as follows:
$sql = "Select password from users where username= ' $name '";
$res =mysql_query ($sql, $conn);
if ($arr =mysql_fetch_assoc ($res)) {//if user name exists
if ($arr [' Password ']== $pwd) {//Password pair
echo "Login succeeded";
}else{
echo "Incorrect password input";
}
}else {
echo "This username does not exist";
}
Analysis: In this case, the code is robust enough to prevent SQL injection attacks even in the case of Magic_quote_gpc=off. Because the attacker wants to log in successfully, they have to bypass the two, the first is to enter the username to exist, this step can construct an SQL statement (' or 1=1%23) directly bypass, but this way can not pass the second hurdle. Because the user is required to enter a correct password to pass, obviously, this has rejected the SQL injection attack.
method Two: Use PDO's PDO::p Repare () preprocessing operations to prevent SQL injection attacks
Idea: Create a PDO object and use PDO preprocessing to prevent SQL injection attacks
Code:
Copy Code code as follows:
$name =$_get[' username '];
$pwd =$_get[' password '];
$sql = "SELECT * from Users where username= and password=?";
//1. Create a PDO object
$pdo =new PDO ("Mysql:host=localhost;port=3306;dbname=injection", "Root", "");
//2. Set encoding
$pdo->exec ("Set names ' UTF8 '");
//3. Preprocessing $sql statements
$pdoStatement = $pdo->prepare ($sql);
//4. Fill in
$pdoStatement->execute ($name, $pwd) with the received username and password;
//5 results
$res = $pdoStatement->fetch ();
if (empty ($res)) {
echo "user name or password entered incorrectly";
}else{
Echo "Login succeeded";
}
