Php web development security-SQL injection and prevention: (1) Simple select statement injection and prevention, sqlselect

Php web development security-SQL injection and prevention: (1) Simple select statement injection and prevention, sqlselect

SQL Injection mainly refers to the Construction of SQL statements in get and post request parameters to modify the SQL statements executed during the program running, so as to obtain, modify, or even delete data, the main cause of SQL injection is that there are problems with code writing (with vulnerabilities). As long as you pay attention to developing good habits when writing SQL-related code, prevent SQL statements that may be injected. In most cases, you can prevent SQL injection. Next, let's take a look at which bad coding habits may cause the select statement to be injected and analyze the preventive measures.

Note: There is no complete php code here. It can be roughly assumed that a user can use a url similar to the following http: // localhost/user. php? Username = yang or http: // localhost/user. php? Uid = yang. The get method is used to request information in the database. The database contains the user and article tables.

1. Replace variables in SQL statements without quotation marks
Check this statement $ SQL = "select uid, username from user where uid = $ uid ";
Replace variables with no quotation marks. If you enter $ uid: $ uid = '1 and 1 = 2 union select * from article where aid = 1' like this ';

This SQL statement can be constructed.

select uid, username from user where uid = 1 and 1=2 union select * from article where aid = 1

You can see that the union clause can be used to query data in other tables.

Therefore, the variables in the SQL statement should be enclosed in quotation marks $ SQL = "select uid, username from user where uid = '$ uid '";
In this way, even if the SQL statement is injected, the constructed SQL statement will only become like this:

select uid, username from user where uid = '1 and 1=2 union select * from article where aid = 1';

In this way, the constructed uid can only be the value of the query parameter in the SQL statement, and thus cannot be injected.

2. user input is not filtered and escaped.

(1) filter the data, convert it to the desired format, or determine whether the data format is legal. To determine whether the data format is valid, follow the rules defined by yourself, such as the email address format, User Name Length and combination, password length and combination. The validity of the data format is not discussed here. The following describes the format conversion problem:

For SQL queries by id, because id is generally an integer, You can first convert the data type entered by the user to int, so that even if you try to construct $ uid:

$ Uid = (int) '1 and 1 = 2 union select * from article where aid = 1 ',

It will also be converted to numbers, which can avoid being injected to some extent.

(2) For SQL queries by string type such as username, the main risk of injection is to construct an SQL statement by adding single quotes, SQL comments, SQL statement Terminator, and other symbols in the parameters, therefore, you only need to escape these characters, that is, to escape user input data. Here there are two functions involved: addslashes () and addcslashes (). Addslashes () can escape single quotation marks, double quotation marks, backslash \, and NUL (NULL character. Addcslashes () can customize characters to be escaped. Next, we will use addcslashes () to escape user input.

For example, the following SQL statement:

$sql = "select uid, username from user where username = '{$username}' ";

Without escaping, You can construct $ username as follows: yang '; show tables -- inject
Finally, the following SQL statement is constructed:

select uid, username from user where username = 'yang';SHOW TABLES-- inject';

Now we use the addcslashes () function to escape $ username,

$username = isset($_GET['username']) ? addcslashes($_GET['username'], "'\"%_\\;-") : '';

Note that the preceding statement will escape the following characters. You can escape the corresponding characters as needed.

'Single quotation marks "Double quotation marks % Percent _ underline \ backslash; semicolon-small break

At this time, if the user-constructed yang '; show tables -- inject will become like this: yang \' \; show tables \-inject, the constructed SQL statement will become like this:

select uid, username from user where username = 'yang\'\;SHOW TABLES\-\- inject';

It can be said that it is terrible, and SQL injection will become invalid.

3. Summary

The above is just a simple analysis of the two bad programming habits that are easy to be injected with SQL and the corresponding prevention. In fact, there are still many ways and methods for SQL injection. The so-called magic is full of feet and the road is full of feet, there are still many things to learn.

Refer:

Php programming

Web security-SQL injection attack techniques and Prevention