Home > Developer > Linux

Full PHP vulnerability solution (5)-SQL injection attacks

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

SQL Injection attacks are specially crafted SQL statements submitted by attackers in the form to modify the original SQL statements. If the web program does not check the submitted data, this will cause SQL injection attacks.

General steps for SQL injection attacks:

1. Attackers can access websites with SQL injection vulnerabilities to find injection points.

2. Attackers construct injection statements, which are combined with the SQL statements in the program to generate new SQL statements.

3. The new SQL statement is submitted to the database for processing.

4. The database executes new SQL statements, triggering SQL injection attacks.

Instance

Database

 
 
    
  
  
  1. Create table 'postmessage '(
    2. 
  
  
  2. 'Id' int (11) not null auto_increment,
    3. 
  
  
  3. 'Subobject' varchar (60) not null default ",
    4. 
  
  
  4. 'Name' varchar (40) not null default ",
    5. 
  
  
  5. 'Email 'varchar (25) not null default ",
    6. 
  
  
  6. 'Question' mediumtext not null,
    7. 
  
  
  7. 'Postdate' datetime not null default '2017-00-00 00:00:00 ′,
    8. 
  
  
  8. Primary key ('id ')
    9. 
  
  
  9. ) ENGINE = MyISAM default charset = gb2312 COMMENT = 'caller's message 'AUTO_INCREMENT = 69;
    10. 
  
  
  10. Grant all privileges on ch3. * to 'sectop' @ localhost identified by '123 ′;
    11. 
  
  
  11. // Add. php insert a message
    12. 
  
  
  12. // List. php message list
    13. 
  
  
  13. // Show. php displays the message
    14.

Page http://www.netsos.com.cn/show.php? Id = 71 there may be injection points. Let's test

Http://www.netsos.com.cn/show.php? Id = 71 and 1 = 1

Back to page

Once the record is found, once not, let's look at the source code

// Show. php 12-15 lines

// Execute the mysql query statement

$ Query = "select * from postmessage where id =". $ _ GET ["id"];

$ Result = mysql_query ($ query)

Or die ("failed to execute ySQL query statement:". mysql_error ());

After the parameter id is passed in, the SQL statement combined with the preceding string is put into the database for query.

Submit and 1 = 1, and the statement becomes select * from postmessage where id = 71 and 1 = 1. Both the values before and after the statement are true and the values after and are true. The queried data is returned.

Submit and 1 = 2, the statement becomes select * from postmessage where id = 71 and 1 = 2. The value before the statement is true, the value after the statement is false, and the value after and is false. No data can be found.

Normal SQL queries have formed SQL injection attacks after the statements we have constructed. Through this injection point, we can further obtain permissions, such as using union to read management passwords, read database information, or using functions such as mysql load_file and into outfile to further penetrate.

Defense methods

Integer parameter:

Use the intval function to convert data into integers.

Function prototype

Int intval (mixed var, int base)

Var is the variable to be converted to an integer.

Base. Optional. It is the base number. The default value is 10.

Floating point parameters:

Use floatval or doubleval functions to convert Single-precision and double-precision floating-point parameters respectively.

Function prototype

Int floatval (mixed var)

Var is the variable to be converted.

Int doubleval (mixed var)

Var is the variable to be converted.

Signature parameters:

Use the addslashes function to convert a single quotation mark (') to "\", a double quotation mark ("") to "\", and a backslash (\) to "\". add the Backslash "\" to the NULL Character

Function prototype

String addslashes (string str)

Str is the string to be checked

We can fix the code vulnerability just now.

// Execute the mysql query statement

$ Query = "select * from postmessage where id =". intval ($ _ GET ["id"]);

$ Result = mysql_query ($ query)

Or die ("failed to execute ySQL query statement:". mysql_error ());

If it is character type, first determine that magic_quotes_gpc cannot be On. When it is not On, use addslashes to escape special characters.

 
 
    
  
  
  1. if(get_magic_quotes_gpc())  
    2. 
  
  
  2. {  
    3. 
  
  
  3.     $var = $_GET["var"];  
    4. 
  
  
  4. }  
    5. 
  
  
  5.  else  
    6. 
  
  
  6.  {  
    7. 
  
  
  7.   $var = addslashes($_GET["var"]);  
    8. 
  
  
    9.

Test again. The vulnerability has been fixed.

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
recent sql injection attacks sql injection solution what sql injection vulnerability sql injection vulnerability scanner sql injection attacks and defense how to stop sql injection attacks how to protect against sql injection attacks

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More