这是在 PHP 中构造 mysql_query 的安全方法吗
我已经尝试通过在 Firefox 之外对服务器进行自定义查询来实现 SQL 注入。
在 php 内部,所有变量都以这样的字符串形式传递到查询中。
请注意,到此阶段,$_POST 尚未被触及。
mysql_query('INSERT INTO users (password, username) VALUES(' . sha1($_POST['password']) . ',' . $_POST['username'] . '));
这是一种安全的改变方式吗?
I have tried and tried to achieve an SQL injection by making custom queries to the server outside of firefox.
Inside the php, all variables are passed into the query in a string like this.
Note, by this stage, $_POST has not been touched.
mysql_query('INSERT INTO users (password, username) VALUES(' . sha1($_POST['password']) . ',' . $_POST['username'] . '));
Is that a secure way to make a change?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(6)
您绝对应该使用 mysql_real_escape_string 转义用户名。
当然,最好的解决方案是使用准备好的语句。这样就在 mysql API 级别上实现了查询语法和数据的分离。
而且,正如其他人指出的那样,价值观绝对应该用引号引起来。尤其是文字的。
You should definitely escape the username with mysql_real_escape_string.
Of course the best solution would be to use prepared statements. That way the separation of query syntax and data is made on the mysql API level.
And, as others pointed out, values should absolutely be surrounded with quotes. Especially the text ones.
你在那里所做的事情是危险的,因为有人可以使用邪恶的用户名发送 POST 请求。
您可以检查每个参数并转义它,
另外你可以使用 mysqli (http://php.net/manual/en/book. mysqli.php),
并使用prepare+bind绑定参数。
第一步是避免其他用户被利用,
而第二个有利于服务器端的安全。
另请查看这个问题: How do you Prevent SQL Injection in LAMP应用程序?
what you are doing there is dangerous since someone can send a POST request with an evil user name.
you can either check every parameter and escape it,
additionally you could use mysqli (http://php.net/manual/en/book.mysqli.php),
and bind the parameters using prepare+bind.
the first step is good to avoid exploits on other users,
while the second is good for your server side safety.
also check out this question: How do you prevent SQL injection in LAMP applications?
在检查你的代码时,我很惊讶当你不引用你插入的文字时它竟然能工作 - 你将生成如下代码:
所以它每次都会给出错误。假设这只是一个拼写错误......
mysql 扩展通过只允许每次调用一个查询来限制您执行注入攻击的能力。此外,对 INSERT 语句的注入攻击的范围有限。此外,在拼接到插入语句之前将表示形式更改为中性格式这一事实意味着它不是此类攻击的潜在途径。但是,如果有人发布包含单引号的用户名,您的代码应该失败(如果没有,那么您已经启用了 magic_quotes,但已弃用)。
OTOH,如果您应用相同的方法来验证帐户,那么您很容易受到注入攻击 - 考虑
如果 $_POST['username'] 包含“admin' OR 1 ”,那么您的系统就会受到损害。
您应该始终使用mysql_real_escape_string(),除非您使用不同的函数(例如sha1、bas64_encode...但不是addslashes)确保数据安全
C.
On checking your code I'm surprised it works at all when you don't quote the literals you are inserting - you will be generating code like:
So it will give an error every time. Assuming this is just a typo....
The mysql extension limits your ability to perform injection attacks by only allowing one query per call. Also, there is limited scope for an injection attack on a INSERT statement. Add to that the fact that you change the representation to a neutral format before splicing into the insert statement means that it is not a potential avenue for such an attack. However, your code should fall over if someone POSTs a username containing a single quote (if it doesn't then you've got magic_quotes enabled enabled which is deprecated).
OTOH if you apply the same method to validating the account then you are wide open to injection attacks - consider
If $_POST['username'] contains "admin' OR 1 " then your system is compromised.
You should always use mysql_real_escape_string() unless you've made the data safe using a different function (e.g. sha1, bas64_encode....but NOT addslashes)
C.
看看 http://php.net/mysqli.real-escape-string,将其添加到所有传入值中应该有助于使其更安全。
Look at http://php.net/mysqli.real-escape-string, adding that to all incomming values should help making it safer.
这是不安全的,除非打开
magic_quotes_gpc配置指令。var_dump(ini_get('magic_quotes_gpc'));或phpinfo();可以显示实际值 请注意,该指令是肮脏的、不推荐使用的且令人讨厌的。并且会使一些密码不起作用。
this is insecure, unless
magic_quotes_gpcconfiguration directive is turned on.var_dump(ini_get('magic_quotes_gpc'));orphpinfo();can show you the actual valueNote that this directive is dirty, deprecated and all-hated. And will make some passwords not work.
有时我想知道他们是否会在老人院里找到我,当护士经过时对着他们尖叫“绑定变量”。
这是 2010 年的人,不是 1995 年的人。
绑定变量!
绑定变量!
I wonder sometimes if they'll find me in the old folks home, screaming "BIND VARIABLES" at the nurses as they walk by.
It's 2010 people, not 1995.
BIND VARIABLES!
BIND VARIABLES!