This article focuses on SQL injection attacks against PHP Web sites. The so-called SQL injection attack, that is, part of the programmer in writing code, the user does not judge the legitimacy of input data, so that the application has a security risk. Users can submit a database query code, according to the results returned by the program, to obtain some of the data he wants to know.
SQL injection attack (SQL injection) is an attacker who submits a carefully constructed SQL statement in the form, altering the original SQL statement, which would cause a SQL injection attack if the Web program did not check the submitted data.
General steps for SQL injection attacks:
1. An attacker accesses a site with a SQL injection vulnerability, looking for an injection point
2, the attacker constructs the injection statement, the injected statement and the SQL statement in the program combine to generate a new SQL statement
3. New SQL statements are submitted to the database to perform processing
4. The database executes a new SQL statement, triggering a SQL injection attack
Instance
Database
Page http://www.netsos.com.cn/show.php?id=71 There may be an injection point, let's test
Http://www.netsos.com.cn/show.php?id=71 and 1=1
Back to Page
One query to record, one time no, let's take a look at the source code
show.php 12-15 Lines
Execute MySQL Query statement
$query = "SELECT * from postmessage where id =". $_get["id"];
$result = mysql_query ($query)
Or Die ("Execute Ysql query statement failed:". Mysql_error ());
When the parameter ID is passed in, the SQL statement that is combined with the preceding string is placed into the database to execute the query
Commits and 1=1, the statement becomes a select * from postmessage where id = 1=1 and the value after the statement is true, and later is true, the data returned to the query
Commit and 1=2, the statement becomes a select * from postmessage where id = A and 1=2 before the statement value is true, after the value is false, and later is false, no data is queried
Normal SQL queries, after the statements we construct, form a SQL injection attack. Through this injection point, we can further get permissions, such as the use of Union to read the management password, read the database information, or use MySQL load_file,into outfile functions such as further infiltration.
Precautionary approach
Integer parameters:
Convert data into integers using the intval function
Function prototypes
int intval (mixed var, int base)
var is the variable to be converted into shaping
Base, optional, is the base number, default is 10
Floating-point parameters:
Use Floatval or Doubleval functions to convert single-precision and double-precision floating-point parameters, respectively
Function prototypes
int floatval (mixed var)
var is the variable to be converted
int Doubleval (mixed var)
var is the variable to be converted
Character type parameter:
Use the Addslashes function to convert the single quote "'" to "\", the double quotation mark "" "to" \ ", the backslash" \ "to" \ \ ", the null character plus the backslash" \ "
Function prototypes
String addslashes (String str)
STR is the string to check
So the code bug that just appeared, we can fix this
Execute MySQL Query statement
$query = "SELECT * from postmessage where id =". Intval ($_get["id"]);
$result = mysql_query ($query)
Or Die ("Execute Ysql query statement failed:". Mysql_error ());
If it is a character type, first judge MAGIC_QUOTES_GPC can not be on, when not on the use of Addslashes escape special characters
Test again, the vulnerability has been patched
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
