I. Types of injection attacks
There may be many different types of attack motives, but at first glance there seems to be more types. This is very real-if a malicious user discovers a way to execute multiple queries. We'll discuss this in more detail later in this article.
Such as
If your script is executing a SELECT directive, an attacker could force the display of each row in a table-by injecting a condition such as "1=1" into the WHERE clause, as shown below (where the injected portion is shown in bold):
SELECT * FROM wines WHERE variety = ' Lagrein ' OR 1=1; '
As we discussed earlier, this may be useful information in itself, as it reveals the general structure of the table (which is not achievable by a common record) and potentially displays records containing confidential information.
An update directive can potentially have a more immediate threat. By placing other attributes in the SET clause, an attacker can modify any field in the record that is currently being updated, such as the following example (where the injected portion is shown in bold):
UPDATE Wines SET type= ' red ', ' vintage ' = ' 9999 ' WHERE variety = ' Lagrein '
By adding a constant condition such as 1=1 to the WHERE clause of an update instruction, the scope of the modification can be extended to each record, such as the following example (where the injected portion is shown in bold):
UPDATE Wines SET type= ' red ', ' vintage ' = ' 9999 WHERE variety = ' Lagrein ' OR 1=1; '
The most dangerous instructions could be delete-. This is not difficult to imagine. The injection technique is the same as we have seen-extending the scope of the affected record by modifying the WHERE clause, such as the following example (where the injected portion is shown in bold):
DELETE from wines WHERE variety = ' Lagrein ' OR 1=1; '
Two, multiple query injection
Multiple query injections will exacerbate the potential damage that an attacker might cause-by allowing multiple destructive instructions to be included in a single query. When using a MySQL database, an attacker could easily do this by inserting an unexpected terminator into the query-an injected quotation mark (single or double quotation marks) marks the end of the desired variable, and then terminates the instruction with a semicolon. Now, an additional attack instruction may be added to the end of the original instruction that is now terminated. The final destructive query might look like the following:
Copy the Code code as follows:
SELECT * FROM wines WHERE variety = ' Lagrein ';
GRANT all on * * to ' badguy@% ' identified by ' gotcha '; '
This injection creates a new user Badguy and gives it network privileges (with all the privileges on all tables), and an "ominous" password is added to this simple SELECT statement. If you follow our recommendations in previous articles-strictly restricting the privileges of the process user, this should not work because the Web server daemon no longer has the grant privilege that you withdrew. But in theory, such an attack could give badguy free power to do whatever it does to your database.
As to whether such a multi-query will be processed by the MySQL server, the conclusion is not unique. Some of these reasons may be due to different versions of MySQL, but most of this is due to the way multiple queries exist. The MySQL monitoring program completely allows such a query. A common MySQL gui-phpmyadmin that copies all of the previous content before the final query, and only does so.
However, most of the multiple queries in an injection context are managed by PHP's MySQL extension. Fortunately, by default, it is not allowed to execute multiple instructions in a single query; Attempting to execute two instructions (such as the one shown above) will simply lead to failure-no errors are set and no output information is generated. In this case, although PHP is simply "behaving" to implement its default behavior, it does protect you from most simple injection attacks.
The new mysqli extension in PHP5 (reference http://php.net/mysqli), like MySQL, does not support multiple queries internally, but provides a mysqli_multi_query () function to support you in implementing multiple queries-if you really want to do this.
However, the sqlite-and PHP5 bindings to the embeddable SQL database engine (reference http://sqlite.org/and http://php.net/sqlite) are even more frightening, and have attracted a lot of attention from users because of their ease of use. In some cases, SQLite allows such a multi-directive query by default, because the database can optimize batch queries, especially for very efficient batch INSERT statement processing. However, if the result of the query is used by your script (for example, in the case of retrieving records using a SELECT statement), the Sqlite_query () function does not allow multiple queries to be executed. Third, Invision Power BOARD SQL Injection Vulnerability
Invision Power Board is a well-known forum system. May 6, 2005, a SQL injection vulnerability was found in the login code. Its discovery
Gulftech Security, James Bercegay.
This login query looks like this:
$DB->query ("select * from Ibf_members WHERE id= $mid and password= ' $pid '");
Where the member ID variable $mid and the password ID variable $pid are retrieved from the My_cookie () function using the following two lines of code:
Copy the Code code as follows:
$mid = Intval ($std->my_getcookie (' member_id '));
$pid = $std->my_getcookie (' Pass_hash ');
Here, the My_cookie () function uses the following statement to retrieve the required variable from the cookie:
Return UrlDecode ($_cookie[$ibforums->vars[' cookie_id '). $name]);
"Note" The value returned from this cookie is not processed at all. Although $mid is cast to an integer before it is used in the query, $pid remains the same. As a result, it is vulnerable to the injection type of attack we discussed earlier.
Therefore, this vulnerability is exposed by modifying the My_cookie () function as follows:
Copy the Code code as follows:
if (! In_array ($name, Array (' Topicsread ', ' forum_read ', ' collapseprefs ')))
{
Return $this
Clean_value (UrlDecode ($_cookie[$ibforums->vars[' cookie_id ']. $name]));
}
Else
{
Return UrlDecode ($_cookie[$ibforums->vars[' cookie_id '). $name]);
}
After this correction, the key variables are returned after the "pass" global Clean_value () function, while the other variables are not checked.
Now that we have a general idea of what SQL injection is, how it is injected, and how vulnerable this injection is, let's explore how to prevent it effectively. Fortunately, PHP provides us with a wealth of resources, so we have full confidence that an application built carefully and thoroughly using the technology we recommend will fundamentally eliminate any possibility of SQL injection from your script-by "cleaning up" your users ' data before it can cause any damage.
Iv. define each value in your query
We recommend that you ensure that each value in your query is defined. String values are the first, as well as those that you would normally expect to use "single" (rather than "double") quotes. On the one hand, if you use double quotes to allow PHP to replace variables within a string, this makes it easier to input queries, and on the other hand, this (admittedly, very little) also reduces the subsequent parsing of the PHP code.
Below, let's use the non-injected query we started with to illustrate the problem:
SELECT * FROM wines WHERE variety = ' Lagrein '
or expressed as a PHP statement as:
$query = "SELECT * FROM wines WHERE variety = ' $variety '";
Technically, the quotation marks are not needed for numeric values. However, if you don't mind enclosing a value for a field such as wine in quotation marks and if your user enters an empty value into your form, you will see a query similar to the following:
SELECT * FROM wines WHERE vintage =
Of course, this query is syntactically invalid, but the following syntax is valid:
SELECT * FROM wines WHERE vintage = '
The second query will (presumably) not return any fruit, but at least it will not return an error message.
V. Checking the type of user-submitted values
As we've seen in the previous discussion, the main sources of SQL injection so far are often on an unexpected form entry. However, when you provide the opportunity to submit certain values through a single table, you should have considerable advantages to
What kind of input you want to get-this can make it easier for us to check the validity of the user portal. In previous articles, we have discussed such a verification problem, so here we simply summarize the points we discussed at that time. If you are expecting a number, then you can use one of the following techniques to make sure that you get really a number type:
· Use the Is_int () function (or Is_integer () or Is_long ()).
· Use the GetType () function.
· Use the Intval () function.
· Use the Settype () function.
To check the length of the user input, you can use the strlen () function. To check if a desired time or date is valid, you can use the Strtotime () function. It is almost certain to ensure that a user's entry does not contain a semicolon character (unless punctuation can be legitimately included). You can easily do this with the help of the Strpos () function, as follows:
if (Strpos ($variety, '; ')) exit ("$variety is a invalid value for variety!");
As we mentioned earlier, as long as you carefully analyze your user input expectations, then you should be able to easily check out many of the problems that exist in them.
Six, filter out every suspicious character from your query
Although we have discussed how to filter out dangerous characters in previous articles, let us briefly emphasize and summarize this question again:
· Do not use the MAGIC_QUOTES_GPC directive or its "behind the Scenes"-addslashes () function, which is restricted in application development, and this function requires additional steps-using the Stripslashes () function.
· In contrast, the mysql_real_escape_string () function is more common, but it has its own drawbacks.
The above describes the anti-SQL injection in PHP to prevent SQL injection implementation code, including anti-SQL injection content, I hope the PHP tutorial interested in a friend helpful.
