After magic_quote_gpc is enabled, the SQL injection attack and prevention of bitsCN.com can be rejected by most hackers who want to exploit the SQL injection vulnerability by enabling related options in the php. ini configuration file.
After magic_quote_gpc = on is enabled, the addslshes () and stripslashes () functions can be implemented. In PHP4.0 and later versions, this option is enabled by default, so in PHP4.0 and later versions, even if the parameters in the PHP program are not filtered, the PHP system will also automatically convert every variable passed through GET, POST, and COOKIE methods. In other words, all input injection attack code will be converted, it brings great difficulties to attackers.
Even so, attackers still have the opportunity to launch SQL injection attacks ...... The premise is that when the parameter is numeric, it is not processed by the Intval () function, because after intval () processing, all data will be forcibly converted to numbers.
As mentioned above, after magic_quote_gpc = on is enabled, the addslshes () function is used. However, the numeric type does not use single quotes, so the conversion of the addslshes () function is naturally bypassed. The char () function or HEX () and char () functions provided by MySQL can be used to interpret parameters as integers and return strings consisting of ASCII characters of these integers, in hexadecimal notation, 0x must be added before the number.
Example:
Suppose we know that the administrator's username is admin and the password is unknown. Magic_quote_gpc has been enabled.
SQL statement: $ SQL = "select * from users where username = $ name and password = '$ pwd'"; note: The variable $ name is not enclosed in quotation marks.
Enter username = admin % 23 in the address bar, and the merged SQL statement is:
Select * from users where username = 'admin/'#' and password = '';
At this time, the single quotation mark (') entered in the url address bar will be added with a backslash, and the SQL statement will be invalid.
After admin is converted to ASCII, it is char (97,100,109,105,110)
Enter username = char (97,100,109,105,110) % 23 in the address bar
The SQL statement becomes:
Select * from users where username = char (97,100,109,105,110) # 'and password = '';
If the execution result is true, you can smoothly enter the background.
For a digital injection attack, you must use intval () to forcibly convert the parameter to a number before any numeric parameter is put into the database, so as to cut off the generation of the digital injection vulnerability.
For example: $ id = intval ($ _ GET ['id']);
Select * from articles where id = '$ ID ';
Enter: id = 5' or 1 = 1% 23 in the address bar.
The SQL statement will be changed to: select * from articles where id = '5 ';
Instead of select * from articles where id = '5' or 1 = 1 #;
Summary:
Remember to add single quotes for each variable, such as where username = '$ name ',
Enabling magic_quote_gpc is not absolutely secure. for digital injection attacks, it is not enough to use the addslashes () function only for conversion. you also need to use intval () to forcibly convert parameters to numbers.
How to prevent SQL injection attacks
Method 1: password comparison Idea: first query the database using the user name entered by the user, obtain the password corresponding to the user name in the database, and then compare the password queried from the database with the password submitted by the user.
Code:
$ SQL = "select password from users where username = '$ name '";
$ Res = mysql_query ($ SQL, $ conn );
If ($ arr = mysql_fetch_assoc ($ res) {// if the user name exists
If ($ arr ['password'] = $ pwd) {// password comparison
Echo "logon successful ";
} Else {
Echo "incorrect password ";
}
} Else {
Echo "this user name does not exist ";
}
Analysis: In this case, the code is much more robust, even if magic_quote_gpc = Off, it can prevent SQL injection attacks. If attackers want to log on successfully, they have to bypass two barriers. The first is that the input username must exist. in this step, an SQL statement ('or 1 = 1% 23) can be constructed to bypass it directly, however, this cannot pass the second hurdle. Because the user needs to enter a correct password to pass, apparently, this has refused the SQL injection attack.
Method 2: Use PDO: prepare () preprocessing of PDO to prevent SQL injection attacks Idea: Create a pdo object and use the pdo preprocessing operation to prevent SQL injection attacks.
Code:
$ Name = $ _ GET ['username'];
$ Pwd = $ _ GET ['password'];
$ SQL = "select * from users where username =? And password =? ";
// 1. create a pdo object
$ Pdo = new PDO ("mysql: host = localhost; port = 3306; dbname = injection", "root ","");
// 2. set the encoding
$ Pdo-> exec ("set names 'utf8 '");
// 3. preprocessing $ SQL statements
$ PdoStatement = $ pdo-> prepare ($ SQL );
// 4. enter the received user name and password
$ PdoStatement-> execute (array ($ name, $ pwd ));
// 5. retrieve the result
$ Res = $ pdoStatement-> fetch ();
If (empty ($ res )){
Echo "incorrect user name or password ";
} Else {
Echo "logon successful ";
}
BitsCN.com
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
