SQL injection attack technology implementation and preventive measures in PHP

SQL attacks (SQL injection, Taiwan is called SQL data hidden-code attacks), referred to as injection attacks, are vulnerabilities that occur at the database level of the application. In short, you inject SQL instructions into the input string and ignore the checks in poorly designed programs, so the injected instructions are corrupted by the database server mistaken for a normal SQL instruction.

Some people think that SQL injection attacks are only for Microsoft SQL Server, but as long as it is a database server that supports batch SQL instructions, it is likely to be attacked by this technique.

Reason

In applications where the following conditions are the case, the application may be exposed to the high risk of SQL injection:

Use string joins in your application to combine SQL directives.

Use an account that is too large when the application links to the database (for example, many developers prefer to connect to the Microsoft SQL Server database with the SA (the built-in highest-privileged system administrator account).

Unnecessary but powerful features are open in the database (for example, xp_cmdshell extended stored procedures in Microsoft SQL Server databases or OLE Automation stored procedures, etc.)

Too trusting the data entered by the user, not restricting the number of characters entered, and checking for potential instructions for data not entered by the user.

Principle of action

SQL commands can be queried, inserted, updated, deleted, and so on, and the command string is connected. The difference between a semicolon character and a different command. (The original function is used for subquery or as a query, insert, UPDATE, delete ...) And so on the conditional type)

The SQL command is wrapped in single quote characters for the passed-in string argument. "But 2 consecutive single quote characters, in the SQL database, as a single quote character in the string"

SQL commands, you can inject the annotation "2 consecutive minus characters--after the text is annotated, or" * "and" * * "wrapped in text as a note

Therefore, if you do not replace a single quote character with a command string that combines SQL, it will cause the character variable to maliciously tamper with the original SQL syntax when filling in the command string.

The main reason for SQL injection attacks is due to the following two reasons:

1. The MAGIC_QUOTES_GPC option in the PHP configuration file php.ini is not opened and is set to off;

2. Developers do not check and escape data types.

But in fact, the 2nd is the most important. I think that it is the most basic quality of a web programmer to check the data type entered by the user and submit the correct data type to MYSQL. But in reality, many small white Web developers often forget this, leading to a backdoor opening.

Why is the 2nd most important? Because without a 2nd guarantee, the MAGIC_QUOTES_GPC option, whether on or off, can trigger a SQL injection attack. Here's a look at the technology implementation:

First, the injection attack at magic_quotes_gpc= off

MAGIC_QUOTES_GPC = Off is a very unsafe option in PHP. The new version of PHP has changed the default value to ON. However, there are still a considerable number of servers with the option off. After all, the antique server is also used by others.

When MAGIC_QUOTES_GPC = ON, it automatically adds all the ' (single quotes), "(double numbers), (backslashes), white space characters in the submitted variable. The following is an official description of PHP:

MAGIC_QUOTES_GPC Boolean

Sets the Magic_quotes State for GPC (Get/post/cookie) operations. When magic_quotes are in, all ' (Single-quote), "(double quote), (backslash) and NUL's are escaped with a backslash autom Atically

If there is no escape, that is, off the case, the attacker can take advantage. Take the following test script as an example:

?  
if (Isset ($_post["F_login"])) {  
  //connection Database ...  
  // ... Code slightly ...  
  Check whether the user exists  
  $t _struname = $_post["F_uname"];  
  $t _strpwd = $_post["F_pwd"];  
  $t _strsql = "SELECT * from tbl_users WHERE username= ' $t _struname ' and password = ' $t _strpwd ' LIMIT 0,1";  
      
  if ($t _hres = mysql_query ($t _strsql)) {  
    //processing after successful query. A little ...  
  }  
? >