This article mainly introduces the SQL injection vulnerability example in PHP, we must pay attention to in the development
When developing a Web site, you need to filter the characters passed from the page for security reasons. In general, users can invoke the contents of the database via the following interfaces: URL address bar, login interface, message board, search box, etc. This often leaves the hacker with an opportunity. The data is compromised and the server is removed. First, SQL injection step a) to find injection points (such as: Login interface, message board, etc.) b) The user constructs the SQL statement (such as: ' or 1=1#, explained later) c) sends the SQL statement to the database management system (DBMS) d) The DBMS receives the request and interprets the request as a machine code instruction. Perform the necessary access operation E) The DBMS accepts the returned result and processes it back to the user because the user constructs a special SQL statement, it must return special results (as long as your SQL statement is flexible enough). Below, I use an example to illustrate the next SQL injection two, SQL injection instance of the detailed (the above test assumes that the server does not open MAGIC_QUOTE_GPC) 1) Pre-preparation to demonstrate the SQL injection vulnerability, log in to the background administrator interface First, create a test data table: The code is as follows: CreateTable ' users ' (' id ' int (one) ' NOT NULL auto_increment, ' username ' varchar (+) ' NOT NULL, ' password ' varchar NULL, ' email ' varchar (+) not NULL, PRIMARYKEY (' id '), UniqueKey ' username ' (' username ')) Engine=myisam auto_increment=3 D Efault charset=latin1; Add a record for testing: The code is as follows: Insertinto users (Username,password,email) VALUES (' Marcofly ', MD5 (' Test '), ' marcofly@test.com '); Next, paste in the login interface source code: The following: <title>SQL Injection Demo</title> When the user clicks the Submit button, the form data will be submitted to the validate.php page, the validate.php page is used to determine whether the user entered the user name and password have met the requirements (this step is very important, is often the SQL vulnerability) code as follows: The code is as follows: <title>Login Verification</title> Notice that no, we directly to the user submitted data (user name and password) directly to carry out, and did not implement special character filtering, later you will understand that this is fatal. Code Analysis: If the user name and password are matched successfully, will jump to the Administrator interface (manager.php), unsuccessful, give a friendly prompt message. Here, the pre-work is done, and then we will start the play: SQL injection 2) after the construction of the SQL statement to fill in the correct user name (Marcofly) and password (test), click Submit, will return to our "Welcome administrator" interface. Since the user name and password that we submitted are synthesized into the SQL query statement, the copy code is as follows: SELECT * from Users where username= ' Marcofly ' andpassword=md5 (' test ') is obvious , the user name and password are the same as we gave earlier, will certainly be able to log on successfully. But what if we enter an incorrect user name or password? Obviously, it's definitely not going to get in. Well, this is normally the case, but for a Web site with a SQL injection vulnerability, you can successfully log in as long as you construct a special "string". For example: In the User name input box input: ' or 1=1#, password casually input, this time the SQL query statement is: Code as follows: SELECT * from users where username= ' or 1=1# ' and Password=md5 (") language Semantic analysis: "#" in MySQL is an annotation, so that the content after the pound will be treated as comments by MySQL, so it will not be executed, in other words, the following two SQL statements equivalent: The code is as follows: SELECT * from users where username= ' or 1 =1# ' and PASSWORD=MD5 (') are equivalent to the code as follows: Select *from users where Username= ' or 1=1 because 1=1 is always true, that is, where clause is all-time, and after the SQL is further simplified, the equivalent The following SELECT statement: The code is as follows: SELECT * from Users Yes, the SQL statement is the function of retrieving all the fields in the Users table tip: If you don't know the effect of single quotes in the ' or 1=1#, you can echo down the SQL statement yourself, at a glance. See, a structured SQL statement has such a terrible destructive power, I believe you see this, began to SQL injection has a rational understanding of it ~ Yes, SQL injection is soEasy. However, it is not easy to construct flexible SQL statements based on the actual situation. After you have the foundation, you have to go slowly to explore it. Have you ever thought that if the data submitted through the Background login window is filtered by the administrator for special characters? Then our universal username ' or 1=1# will not be available. But this is not to say that we have no solution, to know that users and databases to deal with the way more than this one.
http://www.bkjia.com/PHPjc/727559.html www.bkjia.com true http://www.bkjia.com/PHPjc/727559.html techarticle This article mainly introduces the SQL injection vulnerability in PHP example, we must pay attention in the development of the site, for security reasons, need to filter the characters passed from the page. ...