PHP SQL Injection attack prevention approach and injection analysis _php tutorial

1. The MAGIC_QUOTES_GPC option in PHP tutorial configuration file php.ini is not turned on and is set to off 2. The developer does not check and escape the data type

But in fact, the 2nd is the most important. I think that checking the type of data entered by the user and submitting the correct data type to the MySQL tutorial should be the most basic quality of a web programmer. But in reality, many small white web developers often forget this, causing the backdoor to open.

Why is 2nd the most important? Because without the 2nd guarantee, the MAGIC_QUOTES_GPC option, whether on or off, could trigger a SQL injection attack. Here's a look at the technology implementation:

One. MAGIC_QUOTES_GPC = off injection attack

MAGIC_QUOTES_GPC = Off is a very insecure option in PHP. The new version of PHP has changed the default value to ON. However, there are still quite a few options for the server to OFF. After all, the antique servers are also used by people.

When MAGIC_QUOTES_GPC = ON, it will add all the ' (single quotation marks), "(double number), (backslash), and white space characters in the submitted variable to the front automatically. The following is an official description of PHP:

View Sourceprint?

MAGIC_QUOTES_GPC Boolean

Sets the Magic_quotes state for GPC (Get/post/cookie) operations. When Magic_quotes is on, all ' (Single-quote), "(double quote), (backslash) and Nul ' s is escaped with a backslash autom Atically

If it is not escaped, that is off, it gives the attacker an advantage. Take the following test script as an example:

1 2if (isset ($_post["F_login"))
3{
4//Connect database Tutorial ...
5//... Code slightly ...
6
7//Check whether the user exists
8 $t _struname = $_post["F_uname"];
9 $t _strpwd = $_post["F_pwd"];
Ten $t _strsql = "SELECT * from tbl_users where username= ' $t _struname ' and password = ' $t _strpwd ' limit 0,1 ';
11
if ($t _hres = mysql_query ($t _strsql))
13 {
14//Processing after successful query. Slightly...
15}
16}
17?>
18
19Sample test
20
21st
27

In this script, when the user enters a normal user name and password, assuming that the values are Zhang3, abc123, the SQL statement that is submitted is as follows:

1 SELECT * FROM tbl_users
2 where username= ' zhang3 ' and password = ' abc123 ' limit 0,1

If an attacker enters in the username field: Zhang3 ' or 1=1 #, in Password input abc123, the submitted SQL statement becomes as follows:

1 SELECT * FROM tbl_users
2 where username= ' Zhang3 ' or 1=1 # ' and password = ' abc123 ' limit 0,1

Since # is an annotation in MySQL, #之后的语句不被执行, the implementation of this line of statements becomes:

1 SELECT * FROM tbl_users
2 where username= ' Zhang3 ' or 1=1

This allows the attacker to bypass authentication. If an attacker knew the database structure, it would be more dangerous to build a union select:

Suppose you enter in Username: Zhang3 ' or 1 =1 Union select Cola, colb,cold from Tbl_b #

In Password input: abc123,

The SQL statement that is committed becomes:

1 SELECT * FROM tbl_users
2 where username= ' Zhang3 '
3 or 1 =1 Union select Cola, colb,cold from Tbl_b # ' and password = ' abc123 ' limit 0,1

This is quite dangerous. If the AGIC_QUOTES_GPC option is on and the quotation marks are escaped, the attack statement built by the attacker above will become so that it does not achieve its purpose:

1 SELECT * FROM tbl_users
2 where username= ' Zhang3 ' or 1=1 # '
3 and Password = ' abc123 '
4 Limit 0,1
5
6 SELECT * FROM Tbl_users
7 where username= ' Zhang3 ' or 1 =1 Union select Cola, colb,cold from Tbl_b # '
8 and Password = ' abc123 ' limit 0,1

Two. MAGIC_QUOTES_GPC = injection attack at On

When MAGIC_QUOTES_GPC = ON, an attacker cannot inject SQL into a character-type field. That doesn't mean it's safe. In this case, SQL injection can be done with numeric fields.

In the latest version of MySQL 5.x, data type input has been strictly, and automatic type conversion has been turned off by default. Numeric field, cannot be a character type of quotation marks. That is, assuming the UID is numeric, in the previous MySQL version, such statements are legal:

1 INSERT INTO Tbl_user set uid= "1";
2 Select * from Tbl_user where uid= "1";

In the latest MySQL 5.x, the above statement is not legal and must be written like this:

1 INSERT into Tbl_user set uid=1;
2 Select * from Tbl_user where uid=1;

So I think it's right. Because as a developer, it is the most basic requirement to submit the correct rules-compliant data types to the database.

So how do attackers attack when MAGIC_QUOTES_GPC = on? It's easy to do SQL injection on numeric fields. Take the following PHP script as an example:

1 2 if (Isset ($_post["F_login"))
3 {
4//Connect database ...
5//... Code slightly ...
6
7//Check whether the user exists
8 $t _struid = $_post["F_uid"];
9 $t _strpwd = $_post["F_pwd"];
Ten $t _strsql = "SELECT * from tbl_users where uid= $t _struid and password = ' $t _strpwd ' limit 0,1 ';
if ($t _hres = mysql_query ($t _strsql))
12 {
13//Processing after successful query. Slightly...
14}
15
16}
?>
18Sample test
19
20
26

The above script requires users to enter UserID and password login. A normal statement, the user enters 1001 and abc123, commits the SQL statement as follows:

SELECT * from tbl_users where userid=1001 and password = ' abc123 ' limit 0,1

If the attacker is at the UserID, enter: 1001 or 1 = 1 #, the SQL statement injected is as follows:

SELECT * from tbl_users where userid=1001 or 1 =1 # and password = ' abc123 ' limit 0,1

The attackers achieved their purpose.

Three. How to prevent PHP SQL injection attacks

How do I prevent PHP SQL injection attacks? I think the most important thing is to check and escape the data type. Some of the rules are summarized as follows:

The display_errors option in php.ini should be set to Display_errors = off. In this way, the PHP script does not output errors in the Web page after the error, so that the attacker could parse out the information.

When you call a MySQL function such as mysql_query, you should precede it with @, which is @mysql_query (...) so that the MySQL error is not output. In the same vein, the attacker is not allowed to parse out useful information. In addition, some programmers in the development, when mysql_query error, used to output errors and SQL statements, such as: 1 $t _strsql = "Select a from B ...";
2 if (mysql_query ($t _strsql))
3 {
4//correct handling
5}
6 Else
7 {
8 echo "Error! SQL statement: $t _strsql RN error message ". mysql_query ();
9 exit;
10}

This practice is quite dangerous and foolish. If you must do this, it is best to set a global variable or define a macro in the configuration file of the Web site, and set the debug flag:

1//Global configuration file:
2 define ("Debug_mode", 0); 1:debug mode; 0:release mode
3
4//Call script:
5 $t _strsql = "Select a from B ...";
6 if (mysql_query ($t _strsql))
7 {
8//correct handling
9}
Ten Else
11 {
if (Debug_mode)
echo "Error! SQL statement: $t _strsql RN error message ". mysql_query ();
+ exit;
15}

Escape and type check for the SQL statement that was committed.

Four. I wrote a security parameter to get the function

To prevent user error data and PHP + MySQL injection, I wrote a function papi_getsafeparam () to get the safe parameter values:

1 define ("Xh_param_int", 0);
2 define ("Xh_param_txt", 1);
3 function Papi_getsafeparam ($pi _strname, $pi _def = "", $pi _itype = xh_param_txt)
4 {
5 if (Isset ($_get[$pi _ strname])
6 $t _val = Trim ($_get[$pi _strname]),
7 else if (Isset ($_post[$pi _strname]))
8 $t _val = Trim ($_po st[$pi _strname]);
9 Else
return $PI _def;

/int
if (xh_param_int = = $pi _itype)
+
(is_numeric ($t _val))
return $t _val;
+ Else
return $pi _def;


//String
$t _val = Str_replace ("&", "&", $t _val);
$t _val = Str_replace ("<", "<", $t _val);
$t _val = Str_replace (">", ">", $t _val);
if (GET_MAGIC_QUOTES_GPC ())
, {
$t _val = Str_replace ("", "" ", $t _val);
$t _val = Str_replace ("'" "," ' ", $t _val);
29}
-Else
-{
$t _val = Str_replace ("" "" "", $t _val);
$t _val = Str_replace ("'", "'", $t _val);
34}
return $t _val;

In this function, there are three parameters:

$PI _strname: Variable name
$PI _def: Default value
$PI _itype: Data type. The value is Xh_param_int, Xh_param_txt, respectively, the numeric type and the text type.

If the request is numeric, call Is_numeric () to determine whether it is a numeric value. If not, the default value specified by the program is returned.

For simplicity, for a text string, I escaped all dangerous characters (including HTML code) entered by the user. Because of a vulnerability in PHP function addslashes (), I replaced it directly with Str_replace (). The GET_MAGIC_QUOTES_GPC () function is a PHP function used to determine whether the MAGIC_QUOTES_GPC option is open.

Just in the second section of the example, the code can be called:

1 2 if (Isset ($_post["F_login"))
3 {
4//Connect database ...
5//... Code slightly ...
6
7//Check whether the user exists
8 $t _struid = Papi_getsafeparam ("F_uid", 0, Xh_param_int);
9 $t _strpwd = Papi_getsafeparam ("F_pwd", "", xh_param_txt);
Ten $t _strsql = "SELECT * from tbl_users where uid= $t _struid and password = ' $t _strpwd ' limit 0,1 ';
if ($t _hres = mysql_query ($t _strsql))
12 {
13//Processing after successful query. Slightly...
14}
15}
?>

http://www.bkjia.com/PHPjc/629717.html www.bkjia.com true http://www.bkjia.com/PHPjc/629717.html techarticle 1. The MAGIC_QUOTES_GPC option in PHP tutorial configuration file php.ini is not turned on and is set to OFF 2. The developer does not check and escape the data type but in fact, the 2nd most important ...

