This article mainly introduces the SQL injection vulnerability example in php. during development, you must note that when developing a website, for security reasons, you must filter the characters passed from the page. Generally, you can use the following interfaces to call the database content: URL address bar, logon interface, message board, and search box. This often leaves an opportunity for hackers. If it is light, data is leaked, and the server is heavy.
1. SQL injection steps
A) search for injection points (such as logon interfaces and message boards)
B) construct an SQL statement by yourself (for example, 'or 1 = 1 #, which will be explained later)
C) send SQL statements to the database management system (DBMS)
D) the DBMS receives the request and interprets the request as a machine code command to perform necessary access operations.
E) the DBMS accepts and processes the returned results and returns them to the user.
Because you have constructed special SQL statements, special results will be returned (as long as your SQL statements are flexible enough ).
Next, I will use an instance to demonstrate SQL injection.
II. detailed description of SQL injection instances (the above test assumes that magic_quote_gpc is not enabled on the server)
1) preparations
First, we will demonstrate the SQL injection vulnerability and log on to the background administrator interface.
First, create a data table for the test:
The code is as follows:
CREATETABLE 'Users '(
'Id' int (11) not null AUTO_INCREMENT,
'Username' varchar (64) not null,
'Password' varchar (64) not null,
'Email 'varchar (64) not null,
PRIMARYKEY ('id '),
UNIQUEKEY 'username' ('Username ')
) ENGINE = MyISAM AUTO_INCREMENT = 3 default charset = latin1;
Add a record for testing:
The code is as follows:
INSERTINTO users (username, password, email)
VALUES ('marcofly ', md5 ('test'), 'marcofly @ test.com ');
Next, paste the source code of the logon interface:
The code is as follows:
SQL injection demonstration
When you click the submit button, the form data is submitted to validate. php page, validate. the php page is used to determine whether the user name and password entered by the user meet the requirements (this step is critical and often lies in the SQL vulnerability)
The code is as follows:
The code is as follows:
Logon verification
$ Conn = @ mysql_connect ("localhost", 'root', '') or die (" database connection failed! ");;
Mysql_select_db ("injection", $ conn) or die ("the database you want to select does not exist ");
$ Name = $ _ POST ['username'];
$ Pwd = $ _ POST ['password'];
$ SQL = "select * from users where username = '$ name' andpassword =' $ pwd '";
$ Query = mysql_query ($ SQL );
$ Arr = mysql_fetch_array ($ query );
If (is_array ($ arr )){
Header ("Location: manager. php ");
} Else {
Echo "your username or password entered incorrectly. please log on again! ";
}
?>
Note that no, we directly execute the data submitted by the user (user name and password) without filtering special characters. you will understand that this is fatal.
Code Analysis: If the username and password match successfully, the administrator operation interface (manager. php) is displayed. if the user name and password match successfully, a friendly prompt is displayed.
At this point, the preliminary work has been completed. next we will start our major role: SQL injection.
2) construct an SQL statement
After you fill in the correct username (marcofly) and password (test), click submit and return to the "welcome administrator" interface.
This is because the user name and password submitted are merged into the SQL query statement as follows:
The code is as follows:
Select * from users where username = 'marcofly 'andpassword = md5 ('test ')
Obviously, the user name and password are the same as what we have previously given, and you will surely be able to log on successfully. But what if we enter an incorrect user name or password? Obviously, you cannot log on. Well, under normal circumstances, but for websites with SQL injection vulnerabilities, as long as a special "string" is constructed, they can log on successfully.
For example, in the username input box, enter 'or 1 = 1 #, and enter the password as needed. the merged SQL query statement is as follows:
The code is as follows:
Select * from users where username = ''or 1 = 1 # 'and password = md5 ('')
Semantic analysis: "#" is a annotator in mysql, so that the content after the well number is considered as the comment content by mysql, so that it will not be executed. In other words, the following two SQL statements are equivalent:
The code is as follows:
Select * from users where username = ''or 1 = 1 # 'and password = md5 ('')
Equivalent
The code is as follows:
Select * from users where username = ''or 1 = 1
Because 1 = 1 is always true, that is, the where clause is always true. after this SQL statement is further simplified, it is equivalent to the following select statement:
The code is as follows:
Select * from users
Yes, this SQL statement is used to retrieve all fields in the users table.
Tips: If you do not know the single quotes in 'or 1 = 1 #, you can echo the SQL statement on your own.
As you can see, a constructed SQL statement has such a terrible destructive power. I believe you have a rational understanding of SQL injection ~
Yes, SQL injection is so easy. However, it is not that easy to construct flexible SQL statements based on actual conditions. With the foundation, you can explore it slowly.
Have you ever wondered if the data submitted through the background login window is filtered out by the administrator with special characters? In this case, our universal username 'or 1 = 1 # cannot be used. However, this does not mean that we have no countermeasures. we need to know that there are more ways for users to deal with databases.