PHP Vulnerability Full solution (v)-sql injection attack

Source: Internet
Author: User
Tags mysql query sql injection sql injection attack

SQL injection attack (SQL injection) is an attacker who submits a carefully constructed SQL statement in the form, altering the original SQL statement, which would cause a SQL injection attack if the Web program did not check the submitted data.

General steps for SQL injection attacks:

1. An attacker accesses a site with a SQL injection vulnerability, looking for an injection point

2, the attacker constructs the injection statement, the injected statement and the SQL statement in the program combine to generate a new SQL statement

3. New SQL statements are submitted to the database to perform processing

4. The database executes a new SQL statement, triggering a SQL injection attack

Instance

Database

  1. CREATE TABLE ' PostMessage ' (

  2. ' ID ' int (one) not NULL auto_increment,

  3. ' Subject ' varchar not NULL default ',

  4. 'name ' varchar (+) not NULL default ",

  5. ' Email ' varchar (+) not NULL default ",

  6. ' Question ' mediumtext not NULL,

  7. ' Postdate ' datetime not NULL default ' 0000-00-00 00:00:00′,

  8. PRIMARY KEY (' id ')

  9. Engine=myisam DEFAULT charset=gb2312 comment= ' user's message ' auto_increment=69;

  10. Grant all privileges the ch3.* to ' sectop ' @localhost identified by ' 123456′;

  11. add.php Insert Message

  12. list.php message list

  13. show.php Display Message

Page http://www.netsos.com.cn/show.php?id=71 There may be an injection point, let's test

Http://www.netsos.com.cn/show.php?id=71 and 1=1

Back to Page

One query to record, one time no, let's take a look at the source code

show.php 12-15 Lines

Execute MySQL Query statement

$query = "SELECT * from postmessage where id =". $_get["id"];

$result = mysql_query ($query)

Or Die ("Execute Ysql query statement failed:". Mysql_error ());

When the parameter ID is passed in, the SQL statement that is combined with the preceding string is placed into the database to execute the query

Commits and 1=1, the statement becomes a select * from postmessage where id = 1=1 and the value after the statement is true, and later is true, the data returned to the query

Commit and 1=2, the statement becomes a select * from postmessage where id = A and 1=2 before the statement value is true, after the value is false, and later is false, no data is queried

Normal SQL queries, after the statements we construct, form a SQL injection attack. Through this injection point, we can further get permissions, such as the use of Union to read the management password, read the database information, or use MySQL load_file,into outfile functions such as further infiltration.

Precautionary approach

Integer parameters:

Convert data into integers using the intval function

Function prototypes

int intval (mixed var, int base)

var is the variable to be converted into shaping

Base, optional, is the base number, default is 10

Floating-point parameters:

Use Floatval or Doubleval functions to convert single-precision and double-precision floating-point parameters, respectively

Function prototypes

int floatval (mixed var)

var is the variable to be converted

int Doubleval (mixed var)

var is the variable to be converted

Character type parameter:

Use the Addslashes function to convert the single quote "'" to "\", the double quotation mark "" "to" \ ", the backslash" \ "to" \ \ ", the null character plus the backslash" \ "

Function prototypes

String addslashes (String str)

STR is the string to check

So the code bug that just appeared, we can fix this

Execute MySQL Query statement

$query = "SELECT * from postmessage where id =". Intval ($_get["id"]);

$result = mysql_query ($query)

Or Die ("Execute Ysql query statement failed:". Mysql_error ());

If it is a character type, first judge MAGIC_QUOTES_GPC can not be on, when not on the use of Addslashes escape special characters

    1. if (GET_MAGIC_QUOTES_GPC ())

    2. {

    3. $var = $_get["var"];

    4. }

    5. Else

    6. {

    7. $var = addslashes ($_get["var"]);

    8. }

Test again, the vulnerability has been patched

PHP Vulnerability Full solution (v)-sql injection attack

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.