Problems with SQL injection in languages such as PHP

Many people do not notice in the development of SQL query can be changed, in fact, SQL is one of the most unsafe factors, through SQL, more likely to directly execute system commands, new users on the server, modify passwords and other operations are not impossible.

Direct SQL command injection is a technique commonly used by attackers to create or modify existing SQL statements to achieve hidden data, or to overwrite critical values, or even to execute database host operating system commands. This is accomplished by using the application to obtain user input and combining static parameters into SQL queries.

$offset = $argv [0]; Note that there is no input validation!
$query  = "SELECT ID, name from [Order by name LIMIT OFFSET $offset;";
$result = Pg_query ($conn, $query);

This is the most common example of pagination, but if someone passes the following statement through Unlencecode (),

0;
Insert into Pg_shadow (usename,usesysid,usesuper,usecatupd,passwd)
    select ' Crack ', usesysid, ' t ', ' t ', ' crack ' From
    Pg_shadow where usename= ' postgres ';
--

Insert the statement after the URL. A user is inserted in the table of data (guess by field, but it must be inserted)

Pay attention to that 0; Just to provide a correct offset to complement the original query so that it doesn't go wrong. , this is the example in the manual.

$query  = "SELECT ID, name, inserted, size from products
                  WHERE size = ' $size ' ORDER by
                  $order LIMIT $limit, $of Fset; ";
$result = Odbc_exec ($conn, $query);

You can add another SELECT query based on the original query to get the password:

'
Union Select ' 1 ', concat (uname| | ') -'|| passwd) as name, ' 1971-01-01 ', ' 0 ' from usertable;
--

Another example:

<?php
$query  = "SELECT * from the products WHERE id like '% $prod% '";
$result = Mssql_query ($query);
? >

If the attack is submitted a% ' exec master. xp_cmdshell ' net user Test Testpass/add '-the value $prod as a variable, then $query will become

<?php
$query  = "SELECT * from the products
                    WHERE id like '%a% '
                    exec master. xp_cmdshell ' net user Test Testpass/add '-';
$result = Mssql_query ($query);
? >

Some people say that the above attack must know the structure of the data table, etc., but no one can guarantee that they do not get this information, whether by guessing or, for example, the most common user table is User,admin table, what node table access Ah, is not impossible

But also by modifying form forms, adding hidden fields to submit the form, the ASP's more frightening, through SQL injection to guess database statements and so on, and MySQL SQL language is incorrect, but still do not believe the data entered by others.

It is best to check the data sent by each client for strict filtering. To ensure the safety of the site. And, if possible, it is best to establish a log system to facilitate you to see if the site has not been invaded.

Free Open-source products in PHP, such as Dede, Empire, Dz,ecshop, etc., users are no longer a minority! However, the more open source products the more dangerous! Because others are very easy to get to your database structure, the Site directory structure! Site All code! Attacking websites is also easy:

For example, dedeV5.7 's