SQL注入尝试PHP 5.2.6
在 XAMPP 中使用 PHP 5.2.6:
我在此处阅读了有关sql注入的内容,并使用以下登录表单进行了尝试:
<html><body>
<form method='post' action='login.php'>
<input type='text' name='user'/>
<input type='text' name='pass'/>
<input type='submit'/>
</form>
</body></html>
和php代码:
<?php
$user = $_POST['user'];
$pass = $_POST['pass'];
$query = "Select * from users where user='$user' AND pass='$pass'";
echo $query;
mysql_connect('localhost','root','');
mysql_select_db('test');
$res = mysql_query($query);
if($res) $row = mysql_fetch_assoc($res);
if($row) echo 'yes';
?>
我发现了什么结果是,$pass 变量已经转义了所有特殊字符。 那么,在 PHP 5.2.6 中是不是就不需要使用 mysql_real_escape_string 了呢?
Using PHP 5.2.6 in XAMPP :
I read about sql injections here and tried that with the following login form :
<html><body>
<form method='post' action='login.php'>
<input type='text' name='user'/>
<input type='text' name='pass'/>
<input type='submit'/>
</form>
</body></html>
and php code :
<?php
$user = $_POST['user'];
$pass = $_POST['pass'];
$query = "Select * from users where user='$user' AND pass='$pass'";
echo $query;
mysql_connect('localhost','root','');
mysql_select_db('test');
$res = mysql_query($query);
if($res) $row = mysql_fetch_assoc($res);
if($row) echo 'yes';
?>
What I found out was, the $pass variable already had all the special characters escaped.
So, is there no need to use the mysql_real_escape_string in PHP 5.2.6 then?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
由于服务器配置中启用了 Magic Quotes,这些值可能会被转义。 魔术引号被认为非常糟糕,基本上就是出于您提到的确切原因。 依赖某个可能开启或不开启的功能来自动转义传入的数据是不安全的。 在运行时自己做会更好。
有关 Magic 引号的更多信息,以及它们为何不好以及如何禁用它们,请查看以下一些问题/答案:
The values may be escaped due to Magic Quotes being enabled in your server configuration. Magic quotes are considered very bad, basically for the exact reason you mention. It is not safe to rely on a feature that may or may not be on to automagically escape your incoming data. It is much better to do it yourself at run time.
For more information on Magic quotes, and why they're bad, and how to disable them, take a look at a few of these SO questions/answers:
您的 PHP 服务器可能配置为使用 Magic Quotes。 PHP 中已弃用的设置,可自动转义 PHP 脚本中的所有传入数据。 它已被弃用,并将在 PHP 6 中删除。 以下是 Zend 的原因 用于删除魔术引号。
最好不要依赖“魔法”,这种“魔法”可以让很多事情顺利进行,但会破坏其他事情。 显式转义您的输入更加可靠,并且可以让您设计出更好的代码。 例如,并非所有输入都需要以相同的方式转义。
It is likely your PHP server is configure to use Magic Quotes. A deprecated setting in PHP that automatically escapes all incoming data in a PHP script. It's deprecated and will be removed in PHP 6. Here are Zend's reasons for removing Magic Quotes.
It's better to not rely on 'magic' that makes many things work but breaks others. Explicitly escaping your input is more reliable and makes you design better code. For example, not all input needs to be escaped in the same way.
不,我不认为你在这里。 无论 php 是否神奇地转义此示例中的特殊字符,解释器都不会对您的查询参数执行 mysql 特定 转义。
我认为这段代码极有可能存在漏洞。
No, I don't think you're right here. Whether or not php magically escapes special characters in this example, the interpreter isn't going to perform mysql specific escaping on your query args.
I think it's extremely likely that there's a vulnerability in this code.