SQL Injection Attack and Defense after magic_quote_gpc is enabled

By enabling related options in the PHP. ini configuration file, you can reject most hackers who want to exploit the SQL injection vulnerability.

After magic_quote_gpc = on is enabled, the addslshes () and stripslashes () functions can be implemented. In php4.0 and later versions, this option is enabled by default. Therefore, in php4.0 and later versionsProgramThe parameters in are not filtered, And the PHP system will automatically convert each variable passed through the get, post, and cookie methods. In other words, the input Injection AttackCodeAll will be converted, which will bring great difficulties to attackers.

Even so, attackers still have the opportunity to launch SQL injection attacks ...... The premise is that when the parameter is numeric, It is not processed by the intval () function, because after intval () processing, all data will be forcibly converted to numbers.

As mentioned above, after magic_quote_gpc = on is enabled, the addslshes () function is used. However, the numeric type does not use single quotes, so the conversion of the addslshes () function is naturally bypassed. The Char () function or hex () and char () functions provided by MySQL can be used to interpret parameters as integers and return strings consisting of ASCII characters of these integers, in hexadecimal notation, 0x must be added before the number.

Example:

Suppose we know that the Administrator's username is admin and the password is unknown. Magic_quote_gpc has been enabled.

SQL statement: $ SQL = "select * from users where username = $ name and password = '$ pwd'"; Note: The variable $ name is not enclosed in quotation marks.

Enter username = admin % 23 in the address bar, And the merged SQL statement is:

Select * from users where username = 'admin \ '#' and Password = '';

At this time, the single quotation mark (') entered in the URL address bar will be added with a backslash, and the SQL statement will be invalid.

After admin is converted to ASCII, It is Char (97,100,109,105,110)

Enter username = char (97,100,109,105,110) % 23 in the address bar

The SQL statement becomes:

Select * from users where username = char (97,100,109,105,110) # 'and Password = '';

If the execution result is true, you can smoothly enter the background.

For a digital injection attack, you must use intval () to forcibly convert the parameter to a number before any numeric parameter is put into the database, so as to cut off the generation of the Digital Injection Vulnerability.

For example: $ id = intval ($ _ Get ['id']);

Select * from articles where id = '$ id ';

Enter: Id = 5' or 1 = 1% 23 in the address bar.

The SQL statement will be changed to: Select * from articles where id = '5 ';

Instead of select * from articles where id = '5' or 1 = 1 #;

Summary:

1. Remember to add single quotes for each variable, such as where username = '$ name ',
2. Enabling magic_quote_gpc is not absolutely secure. For Digital injection attacks, it is not enough to use the addslashes () function only for conversion. You also need to use intval () to forcibly convert parameters to numbers.

OriginalArticle:Web development _ Xiaofei

Reprinted please indicate the source: http://www.cnblogs.com/hongfei/archive/2012/01/14/magic-sql-injection.html