Summary of common SQL injection attack methods _php Tutorial

Source: Internet
Author: User
Tags mysql injection sql error sql injection attack
In the development of the Web site, we may give a person a security problem, let me introduce some common SQL injection attack method Summary, novice friends can try to reference.

1. Escape characters are not properly filtered

This form of injection or attack occurs when the user's input does not have an escape character filter, and it is passed to an SQL statement. This causes the end user of the application to perform operations on the statements on the database. For example, the following line of code demonstrates this vulnerability:

The code is as follows Copy Code

"SELECT * from users WHERE name = '" + userName + "';"

This code is designed to take a particular user out of its user table, but if the user name is forged in a particular way by a malicious user, the action of this statement may be more than what the author of the code expects. For example, set the user name variable (that is, username) to: a ' or ' t ' = ' t, at which point the original statement changed:

The code is as follows Copy Code

SELECT * from users WHERE name = ' a ' OR ' t ' = ' t ';

If this code is used for an authentication process, then this example can force the selection of a valid user name, because the assignment ' t ' = ' t ' is always correct.

On some SQL servers, such as SQL Server, any SQL command can be injected in this way, including executing multiple statements. The value of username in the following statement will cause the "users" table to be deleted, and all data from the "data" table can be selected (actually revealing each user's information).

The code is as follows Copy Code

A ';D ROP TABLE users; SELECT * FROM Data WHERE name is like '%

Make the final SQL statement look like this:

The code is as follows Copy Code

SELECT * from users WHERE name = ' A ';D rop TABLE users; SELECT * from the data WHERE name like '% ';

Other SQL executions do not use multiple commands in the same query as a security measure. This prevents an attacker from injecting a completely separate query, but does not prevent the attacker from modifying the query.

2. Incorrect type handling

This form of attack is sent if a user-supplied field is not a strong type, or if no type coercion is enforced. When a numeric field is used in an SQL statement, this attack occurs if the programmer does not check the legality of the user input (whether it is a digital type). For example:

The code is as follows Copy Code

"SELECT * FROM data WHERE id =" + a_variable + ";"

As you can see from this statement, the author wants a_variable to be a number related to the ID field. However, if the end user chooses a string, it bypasses the need for escape characters. For example, set a_variable to: 1; Drop table users, which removes the "Users" table from the database, and the SQL statement becomes:

The code is as follows Copy Code

SELECT * FROM data WHERE id = 1; DROP TABLE users;

3. Vulnerabilities in the database server

Sometimes, there are vulnerabilities in the database server software, such as the mysql_real_escape_string () function vulnerability in MySQL server. This vulnerability allows an attacker to perform a successful SQL injection attack based on the wrong uniform character encoding.

4. Blind SQL injection attack

So-called blind SQL injection attacks occur when a Web application is susceptible to attack and its results are not visible to the attacker. A vulnerable web page might not display data, but instead display different content based on the results of logical statements injected into a legitimate statement. This attack is time-consuming because a new statement must be carefully constructed for each byte obtained. But once the location of the vulnerability and the location of the target information is established, a tool called Absinthe can automate the attack.

5. Conditional response

Note that there is a SQL injection that forces the database to calculate the value of a logical statement on a normal application screen:

The code is as follows Copy Code

SELECT booktitle from Booklist WHERE bookId = ' ook14cd ' and 1=1

This leads to a standard picture, and the statement

SELECT booktitle from Booklist where bookId = ' ook14cd ' and 1=2 it is possible to give a different result when the page is susceptible to SQL injection attacks. Such an injection would prove the possibility of a blind SQL injection, which would allow an attacker to design a statement that could judge authenticity based on the content of a field in another table.

6. Conditional errors

If the WHERE statement is true, this type of blind SQL injection forces the database to judge a statement that caused the error, resulting in a SQL error. For example:

The code is as follows Copy Code
SELECT 1/0 from users WHERE username= ' Ralph '.

Obviously, if the user Ralph exists, the addition of 0 will result in an error.

7. Time delay

Time delay is a blind SQL injection, which, according to the injected logic, can cause the SQL engine to execute a long queue or a iyige time delay statement. An attacker could measure the time the page was loaded to determine whether the injected statement was true.

These are just a rough classification of SQL attacks. But technically, today's SQL injection attackers are smarter and more comprehensive about how to find vulnerable sites. There are some new methods of SQL attack. Hackers can use a variety of tools to speed up exploits. We might as well take a look at the Asprox Trojan, which is mainly transmitted through a botnet that publishes mail, and its entire working process can be described as follows: first, the Trojan is installed on the computer via spam sent by the controlled host, and then A computer infected by this Trojan will download a binary code that, when it starts, uses the seo/seo.html "target=" _blank "> Search engine to search for a vulnerable web site that uses Microsoft's ASP technology to create a form. The result of the search becomes a list of targets for SQL injection attacks. Next, the Trojan will launch a SQL injection attack on these sites, causing some websites to be controlled and destroyed. Users who visit these controlled and compromised websites will be tricked into downloading a malicious JavaScript code from another site. Finally, this code directs the user to the third site, where there are more malicious software, such as Trojans that steal passwords.

Previously, we often warned or advised Web application programmers to test and patch their code, although the chances of SQL injection vulnerabilities being discovered and exploited were not very high. Recently, however, attackers are increasingly discovering and maliciously exploiting these vulnerabilities. Therefore, before deploying its software, developers should be more proactive in testing their code and patching the code as soon as new vulnerabilities occur.

For example, some people might use this method to bypass logging in the login window. If your query user name and password form something like this:

copy code
[code= ' sql ']
SELECT * from Users WHERE Username = {Username} and
Password = {password}
Then the user can use any user name, using this password:
[code= ' sql '] ' or ' = ' [/ Code]
to make the MySQL query that validates your username password into:
[code= ' sql ']
SELECT * from users WHERE username = ' anyuser ' and
Password = ' OR ' ' = '

Because an empty string is always equal to an empty string, the query condition is never true. As a result, you can see that the risk of MySQL injection is still great, because attackers can see data that should have been accessed by logging in. It is important to prevent your website from being injected into an attack. Fortunately, PHP can help us prevent injection attacks.
MySQL will return all rows in the table, and depending on your program logic, it may cause all users to log in because they are all matched. Now, most of the time, people will open the MAGIC_QUOTES_GPC option (which is also the default for PHP), so the configuration will automatically add backslashes, Escape all ' (single quotes), "(double quotes), (backslash), and null characters. But it's not as simple as it can be, because not all the characters that can cause risk are escaped. PHP has a function that can escape all MySQL characters that may bring extra SQL clauses. This function is mysql_real_escape_string ().
Use this function with caution, because you may have opened the MAGIC_QUOTES_GPC option, and using mysql_real_escape_string () will result in a second escape. The following function avoids this problem by first determining whether the
MAGIC_QUOTES_GPC option is open and then deciding whether to execute mysql_real_escape_string ().
[code= ' php ']

copy code
//add quotation marks to the variable to ensure security
function Quote_smart ($value)
$link =mysql_connect (' mysql_host ', ' mysql_user ', ' Mysql_password ');
To escape
$value =stripslashes ($value);
//Give all non-numeric quotes
if (!is_numeric ($value))
$value = "'". Mysql_real_escape_string ($value, $link). "'";
return $value;

It is important to note that the Quote_smart () function automatically quotes strings, so you do not need to add them yourself.
It is also important to note that because different MySQL versions are not the same for filtering requirements, mysql_real_escape_string () requires a MySQL connection to work, so a second parameter must be passed to a MySQL connection. In the case of native installation of MySQL, can be omitted, but if the machine is not installed MySQL, or remote connection to MySQL, this parameter is necessary, otherwise mysql_real_escape_string () will return an empty string. true techarticle in the development of the Web site, we may give a person a security problem, let me introduce some common SQL injection attack method Summary, novice friends can try to reference. 1. No ...

  • Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.