此查询是否容易受到 SQL 注入攻击?

发布于 2024-08-25 04:24:20 字数 168 浏览 9 评论 0原文

$myq = sprintf("select user from table where user='%s'", $_POST["user"]);

我想知道是否可以使用 SQL 注入来利用上述查询。是否有任何高级 SQL 注入技术可以破坏此特定查询的 sprintf ?

$myq = sprintf("select user from table where user='%s'", $_POST["user"]);

I would like to know if the above query can be exploited using SQL injection. Is there any advanced SQL injection technique that could break sprintf for this particular query?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(8

謸气贵蔟 2024-09-01 04:24:20

我不认为它需要特别高级...尝试输入

' OR 1 = 1 OR user='

换句话说,您将得到以下 SQL:

select user from table where user='' OR 1 = 1 OR user=''

这看起来像您真正想要执行的查询吗? (现在考虑它删除表或类似内容的可能性。)

底线是您应该使用参数化查询。

I don't think it needs to be particularly advanced... try an input of

' OR 1 = 1 OR user='

In other words, you'll get SQL of:

select user from table where user='' OR 1 = 1 OR user=''

Does that look like a query you really want to execute? (Now consider the possibility of it dropping tables instead, or something similar.)

The bottom line is that you should be using a parameterised query.

对你再特殊 2024-09-01 04:24:20

是的,我想说你那里有一个潜在的问题:)

需要转义\x00、\n、\r、\、'、"\x1asprintf() 不会这样做sprintf() 不会对字符串进行任何修改,它只是根据您指定的格式将您提供的任何可变参数扩展到您提供的缓冲区中。

如果字符串正在被转换,则可能是由于 魔法引号(如Rob 在评论中指出),而不是 sprintf() 如果是这种情况,我强烈建议禁用它们。

Yes, I'd say you have a potential problem there :)

You need to escape: \x00, \n, \r, \, ', " and \x1a. sprintf() does not do that, sprintf() does no modification to strings, it just expands whatever variadic arguments that you give it into the buffer that you provide according to the format that you specify.

If the strings ARE being transformed, its likely due to magic quotes (as Rob noted in Comments), not sprintf(). If that is the case, I highly recommend disabling them.

辞别 2024-09-01 04:24:20

使用 sprintf 不会为您提供比使用简单字符串更多的保护连接sprintf 的优点只是比使用简单 PHP 的字符串连接更具可读性。但是,在使用 %s 格式时,sprintf 只执行简单的字符串连接:

$str = implode('', range("\x00", "\xFF"));        // string of characters from 0x00 – 0xFF
var_dump(sprintf("'%s'", $str) === "'".$str."'"); // true

您需要使用转义要插入数据的上下文特殊字符的函数(在本例中是 MySQL 中的 字符串声明 ,假设您使用的是 MySQL),例如 **mysql_real_escape_string** 的作用:

$myq = sprintf("select user from table where user='%s'", mysql_real_escape_string($_POST["user"]));

Using sprintf doesn’t give you any more protection than using simple string concatenation. The advantage of sprintf is just having it a little more readable than when to using simple PHP’s string concatenation. But sprintf doesn’t do any more than simple string concatenation when using the %s format:

$str = implode('', range("\x00", "\xFF"));        // string of characters from 0x00 – 0xFF
var_dump(sprintf("'%s'", $str) === "'".$str."'"); // true

You need to use functions that escape the contextual special characters you want to insert your data into (in this case a string declaration in MySQL, supposing you’re using MySQL) like **mysql_real_escape_string** does:

$myq = sprintf("select user from table where user='%s'", mysql_real_escape_string($_POST["user"]));
雄赳赳气昂昂 2024-09-01 04:24:20

当 $_POST["user"] 等于 "';SHUTDOWN;" 时- 会发生什么?

when $_POST["user"] would equal "';SHUTDOWN;" - what would happen?

ゃ懵逼小萝莉 2024-09-01 04:24:20

实际上,关闭魔术引号。

在 PHP 中,在适当的情况下使用过滤器:

$inUser = $_POST['user'];
$outUser = filter_var($inUser, FILTER_SANITIZE_STRING);

过滤器去除 HTML 标签并转义各种字符。

此外,你可以让你的数据库为你转义它:

$inUser = $_POST['user'];
$outUser = mysqli_real_escape_string($conn, $inUser);

这会转义 MySQL 特定的特殊字符,如双引号、单引号等。

最后,你应该使用参数化查询:

$sql = "SELECT user FROM table WHERE user = ?";
$stmt = $pdo->prepare($sql);
$params = array($outUser);
$stmt->execute($params);

参数化查询会自动在字符串等周围添加引号,并且具有进一步的限制使 SQL 注入变得更加困难。

我按顺序使用这三个。

Actually, turn off magic quotes.

In PHP, where it's appropriate, use filters:

$inUser = $_POST['user'];
$outUser = filter_var($inUser, FILTER_SANITIZE_STRING);

Filters strip out HTML tags and escape various characters.

In addition, you can let your database escape it for you:

$inUser = $_POST['user'];
$outUser = mysqli_real_escape_string($conn, $inUser);

This escapes MySQL specific special characters like double quotes, single quotes, etc.

Finally, you should use parameterized queries:

$sql = "SELECT user FROM table WHERE user = ?";
$stmt = $pdo->prepare($sql);
$params = array($outUser);
$stmt->execute($params);

Parameterized queries automatically add the quotes around strings, etc., and have further restrictions that make SQL injections even more difficult.

I use all three, in that order.

想念有你 2024-09-01 04:24:20

啊,我带来了神奇的答案! :)
神奇的引号可以为你转义!

所以,你必须关闭 magic_quotes_gpc ini 指令
然后按照建议使用 mysql_real_escape_string 。

Ahh here I come with the magic answer! :)
magic quotes do escaping for you!

So, you have to turn magic_quotes_gpc ini directive off
and then use mysql_real_escape_string as suggested.

我不咬妳我踢妳 2024-09-01 04:24:20

是的。

如果有人在您的表单中以用户身份输入以下内容:

'; delete * from table

Yes.

If somebody put in the following as the user in your form:

'; delete * from table
浪漫之都 2024-09-01 04:24:20
$_POST["user"] = "' or 1=1 or user='"
$_POST["user"] = "' or 1=1 or user='"
~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文