SQL Injection Attack and Defense after magic_quote_gpc is enabled

By enabling related options in the php. ini configuration file, you can reject most hackers who want to exploit the SQL injection vulnerability. After magic_quote_gpc = on is enabled, the addslshes () and stripslashes () functions can be implemented. In PHP4.0 and later versions, this option is enabled by default, so in PHP4.0 and later versions, even if the parameters in the PHP program are not filtered, the PHP system will also automatically convert every variable passed through GET, POST, and COOKIE methods. In other words, all input injection attack code will be converted, it brings great difficulties to attackers. Even though www.2cto.com does, attackers still have the opportunity to launch SQL injection attacks ...... The premise is that when the parameter is numeric, It is not processed by the Intval () function, because after intval () processing, all data will be forcibly converted to numbers. As mentioned above, after magic_quote_gpc = on is enabled, the addslshes () function is used. However, the numeric type does not use single quotes, so the conversion of the addslshes () function is naturally bypassed. The char () function or HEX () and char () functions provided by MySQL can be used to interpret parameters as integers and return strings consisting of ASCII characters of these integers, in hexadecimal notation, 0x must be added before the number. Example: assume that we know that the Administrator's username is admin and the password is unknown. Magic_quote_gpc has been enabled. SQL statement: $ SQL = "select * from users where username = $ name and password = '$ pwd'"; Note: The variable $ name is not enclosed by quotation marks, enter username = admin % 23 in the address bar, then the merged SQL statement is: select * from users where username = 'admin \ '#' and password = ''; at this time, the single quotation mark (') entered in the url address bar will be added with a backslash, and the SQL statement will be invalid. After admin is converted to ASCII, It is char (97,100,109,105,110). In the address bar, enter username = char (97,100,109,105,110) % 23. The SQL statement is changed to: select * from users where username = char (97,100,109,105,110) # 'and password = ''; if the execution result is true, you can smoothly enter the background. For a digital injection attack, you must use intval () to forcibly convert the parameter to a number before any numeric parameter is put into the database, so as to cut off the generation of the Digital Injection Vulnerability. For example, $ id = intval ($ _ GET ['id']); select * from articles where id = '$ id'; enter: id = 5' or 1 = 1% 23 the SQL statement will be changed to: select * from articles where id = '5 '; instead of select * from articles where id = '5' or 1 = 1 #; summary: 1. remember to add single quotes for each variable, such as where username = '$ name', 2. enabling magic_quote_gpc is not absolutely secure. For Digital injection attacks, it is not enough to use the addslashes () function only for conversion. You also need to use intval () to forcibly convert parameters to numbers.