多行查询 SQL 注入安全吗?
这可能是一个愚蠢的问题。 或者也许我的黑客技能有限(我根本不练习)。
我有一个如下所示的查询:
<?php
$query =<<<eot
SELECT table_x.field1,
table_x.field2,
table_y.*,
table_z.field4
FROM (
SELECT ...
) as table_y
LEFT JOIN table_x
ON table_x.field1 = table_y.field_x
LEFT JOIN table_z
ON table_z.field1 = table_y.field_z
WHERE table_x.field3 = '$something'
AND table_z.field4 = '1'
AND table_z.field5 = '2'
eot;
?>
在使用 $something 之前,我对它进行了很多其他测试,例如 $something =explode(' ',$something); (稍后会产生一个字符串)它们都没有打算阻止注入,但它们使给定的注入很难按实际查询的方式获得。 不过,还是有办法的。我们都知道用其他仍然有效的内容替换空格是多么容易。
因此,让潜在有害的 SQL 到达 $something 并不是真正的问题... 但是,如果原始查询字符串是多行,有什么方法可以注释它的其余部分吗?
我可以使用 ;-- 注释 AND table_z.field4 = '1' 但无法注释以下 AND table_z.field5 = '2' >
是否可以打开多行注释 /* 而不关闭它或类似的内容,从而允许注入忽略多行查询?
This might be a stupid question.
Or maybe my hacking skills are limited (I don't practice them at all).
I have a query that looks like this:
<?php
$query =<<<eot
SELECT table_x.field1,
table_x.field2,
table_y.*,
table_z.field4
FROM (
SELECT ...
) as table_y
LEFT JOIN table_x
ON table_x.field1 = table_y.field_x
LEFT JOIN table_z
ON table_z.field1 = table_y.field_z
WHERE table_x.field3 = '$something'
AND table_z.field4 = '1'
AND table_z.field5 = '2'
eot;
?>
I have a lot of other tests on $something before it gets used, like $something = explode(' ',$something); (which later result in a string) none of them intend to prevent injection but they make it hard for the given injection to get as is to the actual query.
However, there are ways. We all know how easy it is to replace a space for something else which is still valid..
So, it's not really a problem to make a potentially harmful piece of SQL reach that $something...
But is there any way to comment the rest of the original query string if it is multi-line?
I can comment AND table_z.field4 = '1' using ;-- but can't comment the following AND table_z.field5 = '2'
Is it possible to open a multi-line comment /* without closing it or something looked like and therefore allow the injection to ignore the multi-line query?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
这不安全。即使它无法注释掉其余部分,它也可以在其前面加上 SELECT * FROM my_table WHERE 1=1 前缀。
It's not safe. Even if it can't comment out the rest, it could prefix it with SELECT * FROM my_table WHERE 1=1.
为了安全起见,使用准备好的语句:
http://www.php.net/manual /en/pdo.prepare.php
如果你的输入没有被充分清理,字符串插值总是存在代码注入的风险。
消除执行任意代码的可能性是更简单且更安全的方法。
Use prepared statements to be safe:
http://www.php.net/manual/en/pdo.prepare.php
String interpolation always has the risk of code injection if your input is not sufficiently cleaned.
Removing the possibility to execute arbitrary code is the easier AND much safer way.
@Techpriester:这不是准备好的声明。
http://dev.mysql.com/tech-resources/ articles/4.1/prepared-statements.html(旧版本,同样的事情)
PDO是一个“准备语句”的数据库抽象层,但是准备好的语句是完全不同的东西!
@Techpriester: that's not what a prepared statement is.
http://dev.mysql.com/tech-resources/articles/4.1/prepared-statements.html (old version, same thing)
PDO is a database abstraction layer that "prepares statements", but a prepared statement is something entirely different!