mysql防SQL注入搜集

標籤：end   轉義   failed   where   sql   create   password   case   函數返回   

SQL注入

例：指令碼邏輯

$sql = “SELECT * FROM user WHERE userid = $_GET[userid] “;

案例1：SELECT * FROM t WHERE a LIKE ‘%xxx%’ OR (IF(NOW=SYSDATE(), SLEEP(5), 1)) OR b LIKE ‘1=1 ‘;

　案例2：SELECT * FROM t WHERE a > 0 AND b IN(497 AND (SELECT * FROM (SELECT(SLEEP(20)))a) );

　案例3：SELECT * FROM t WHERE a=1 and b in (1234 ,(SELECT (CASE WHEN (5=5) THEN SLEEP(5) ELSE 5*(SELECT 5 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END)) )；

監控以下方法SLEEP() — 一般的SQL盲注都會伴隨SLEEP()函數出現，而且一般至少SLEEP 5秒以上MID()CHAR()ORD()SYSDATE()SUBSTRING()DATABASES()SCHEMA()USER()VERSION()CURRENT_USER()LOAD_FILE()OUTFILE/DUMPFILEINFORMATION_SCHEMATABLE_NAMEfwrite()/fopen()/file_get_contents() — 這幾個是PHP檔案操作函數

 

應對方法：

1.mysql_real_escape_string() 轉義特殊字元（(PHP 4 >= 4.3.0, PHP 5)）

下列字元受影響：\x00 //對應於ascii字元的NULL\n  //分行符號且回到下一行的最前端\r //分行符號\ //轉義符‘ "\x1a  //16進位數如果成功，則該函數返回被轉義的字串。如果失敗，則返回 false。

2.addslashes(): 函數返回在預定義字元之前添加反斜線的字串

預定義的字元有：    單引號（‘）    雙引號（"）    反斜線（\）    NULL

3.prepared  statements(預先處理機制)

<?php$mysqli = new mysqli("example.com", "user", "password", "database");if ($mysqli->connect_errno) {    echo "Failed to connect to MySQL: (" . $mysqli->connect_errno . ") " . $mysqli->connect_error;}/* Non-prepared statement */if (!$mysqli->query("DROP TABLE IF EXISTS test") || !$mysqli->query("CREATE TABLE test(id INT)")) {    echo "Table creation failed: (" . $mysqli->errno . ") " . $mysqli->error;}/* Prepared statement, stage 1: prepare */if (!($stmt = $mysqli->prepare("INSERT INTO test(id) VALUES (?)"))) {    echo "Prepare failed: (" . $mysqli->errno . ") " . $mysqli->error;}/* Prepared statement, stage 2: bind and execute */$id = 1;if (!$stmt->bind_param("i", $id)) {    echo "Binding parameters failed: (" . $stmt->errno . ") " . $stmt->error;}if (!$stmt->execute()) {    echo "Execute failed: (" . $stmt->errno . ") " . $stmt->error;}?>

 

mysql防SQL注入搜集