SQL injection attack (SQL injection) is an attacker who submits a carefully constructed SQL statement in the form, altering the original SQL statement, which would cause a SQL injection attack if the Web program did not check the submitted data.
General steps for SQL injection attacks:
1. An attacker accesses a site with a SQL injection vulnerability, looking for an injection point
2, the attacker constructs the injection statement, the injected statement and the SQL statement in the program combine to generate a new SQL statement
3. New SQL statements are submitted to the database to perform processing
4. The database executes a new SQL statement, triggering a SQL injection attack
Instance
Database
CREATE TABLE ' PostMessage ' (
' ID ' int (one) not NULL auto_increment,
' Subject ' varchar not NULL default ',
'name ' varchar (+) not NULL default ",
' Email ' varchar (+) not NULL default ",
' Question ' mediumtext not NULL,
' Postdate ' datetime not NULL default ' 0000-00-00 00:00:00′,
PRIMARY KEY (' id ')
Engine=myisam DEFAULT charset=gb2312 comment= ' user's message ' auto_increment=69;
Grant all privileges the ch3.* to ' sectop ' @localhost identified by ' 123456′;
add.php Insert Message
list.php message list
show.php Display Message
Page http://www.netsos.com.cn/show.php?id=71 There may be an injection point, let's test
Http://www.netsos.com.cn/show.php?id=71 and 1=1
Back to Page
One query to record, one time no, let's take a look at the source code
show.php 12-15 Lines
Execute MySQL Query statement
$query = "SELECT * from postmessage where id =". $_get["id"];
$result = mysql_query ($query)
Or Die ("Execute Ysql query statement failed:". Mysql_error ());
When the parameter ID is passed in, the SQL statement that is combined with the preceding string is placed into the database to execute the query
Commits and 1=1, the statement becomes a select * from postmessage where id = 1=1 and the value after the statement is true, and later is true, the data returned to the query
Commit and 1=2, the statement becomes a select * from postmessage where id = A and 1=2 before the statement value is true, after the value is false, and later is false, no data is queried
Normal SQL queries, after the statements we construct, form a SQL injection attack. Through this injection point, we can further get permissions, such as the use of Union to read the management password, read the database information, or use MySQL load_file,into outfile functions such as further infiltration.
Precautionary approach
Integer parameters:
Convert data into integers using the intval function
Function prototypes
int intval (mixed var, int base)
var is the variable to be converted into shaping
Base, optional, is the base number, default is 10
Floating-point parameters:
Use Floatval or Doubleval functions to convert single-precision and double-precision floating-point parameters, respectively
Function prototypes
int floatval (mixed var)
var is the variable to be converted
int Doubleval (mixed var)
var is the variable to be converted
Character type parameter:
Use the Addslashes function to convert the single quote "'" to "\", the double quotation mark "" "to" \ ", the backslash" \ "to" \ \ ", the null character plus the backslash" \ "
Function prototypes
String addslashes (String str)
STR is the string to check
So the code bug that just appeared, we can fix this
Execute MySQL Query statement
$query = "SELECT * from postmessage where id =". Intval ($_get["id"]);
$result = mysql_query ($query)
Or Die ("Execute Ysql query statement failed:". Mysql_error ());
If it is a character type, first judge MAGIC_QUOTES_GPC can not be on, when not on the use of Addslashes escape special characters
if (GET_MAGIC_QUOTES_GPC ())
{
$var = $_get["var"];
}
Else
{
$var = addslashes ($_get["var"]);
}
Test again, the vulnerability has been patched
PHP Vulnerability Full solution (v)-sql injection attack