SQL 注入 - 这(oneliner)安全吗?
PHP:
$SQL = "SELECT goodies FROM stash WHERE secret='" .
str_replace("'",'',$_POST['secret']) .
"'";
邪恶的天才黑客能否将 SQL 注入到我的 SELECT 中 - 如何?
PHP:
$SQL = "SELECT goodies FROM stash WHERE secret='" .
str_replace("'",'',$_POST['secret']) .
"'";
Could an evil genius hacker inject SQL into my SELECT - How ?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
为什么不使用 mysql_real_escape_string() 甚至更好的准备好的语句?你的解决方案看起来很愚蠢。
Why won't you use mysql_real_escape_string() or even better - prepared statements? Your solution seems silly.
我已经考虑这个问题有一段时间了,但我看不出有什么方法可以将 SQL 注入到这个语句中。
以单引号开头的 SQL 字符串在下一个单引号处终止,除非它使用反斜杠或另一个引号(
\'或'')进行转义。由于您要删除所有单引号,因此不能有双引号。如果您转义结束引号,您将收到错误,但不会出现 SQL 注入。然而,此方法有许多缺点:
例如:
当使用参数
\和OR 1 = 1 --调用时,会导致:MySQL 会看到这样的结果:
即使不可能导致注入在这种情况下,其缺点使其不适合作为避免 SQL 注入的通用方法。
正如已经指出的,解决方案是使用准备好的语句。这是防止SQL注入攻击最可靠的方法。
I've had a think about this for a while and I can't see any way to inject SQL into this statement.
An SQL string that starts with a single quotes terminates at the next single quote unless it is escaped with a backslash or another quote (
\'or''). Since you are removing all single quotes there cannot be a doubled quote. If you escape the closing quote you will get an error, but no SQL injection.However this method has a number of drawbacks:
For example:
When called with parameters
\andOR 1 = 1 --would result in:Which MySQL would see as something like this:
Even if it's impossible to cause an injection in this case the drawbacks make this unsuitable for a general purpose way to avoid SQL injection.
The solution, as already pointed out, is to use a prepared statement. This is the most reliable way to prevent SQL injection attacks.
或许。
最好的办法是:
May be.
The best way is:
为什么不使用
mysql_escape_string?是的,他可以,添加"而不是'并且加上,我猜这个查询会给你一个错误。Why just don't use
mysql_escape_string? And yes, he could, adding"instead of'and plus, this query will give you an error, I guess.