SQL 注入 - 这(oneliner)安全吗?

发布于 2024-09-14 12:30:56 字数 174 浏览 7 评论 0原文

PHP:

$SQL = "SELECT goodies FROM stash WHERE secret='" .  
    str_replace("'",'',$_POST['secret']) .  
"'";  

邪恶的天才黑客能否将 SQL 注入到我的 SELECT 中 - 如何?

PHP:

$SQL = "SELECT goodies FROM stash WHERE secret='" .  
    str_replace("'",'',$_POST['secret']) .  
"'";  

Could an evil genius hacker inject SQL into my SELECT - How ?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

肤浅与狂妄 2024-09-21 12:30:56

为什么不使用 mysql_real_escape_string() 甚至更好的准备好的语句?你的解决方案看起来很愚蠢。

Why won't you use mysql_real_escape_string() or even better - prepared statements? Your solution seems silly.

み零 2024-09-21 12:30:56

我已经考虑这个问题有一段时间了,但我看不出有什么方法可以将 SQL 注入到这个语句中。

以单引号开头的 SQL 字符串在下一个单引号处终止,除非它使用反斜杠或另一个引号(\''')进行转义。由于您要删除所有单引号,因此不能有双引号。如果您转义结束引号,您将收到错误,但不会出现 SQL 注入。

然而,此方法有许多缺点:

  • 输入中的单引号被忽略。
  • 输入中的反斜杠未正确处理 - 它们将被视为转义码。
  • 如果最后一个字符是反斜杠,则会出现错误。
  • 如果您稍后扩展查询以添加第二个参数,则会允许 SQL 注入攻击。

例如:

$SQL = "SELECT goodies FROM stash WHERE secret='" .  
    str_replace("'",'',$_POST['secret']) .  
"' AND secret2 = '" .
    str_replace("'",'',$_POST['secret2']) .  
"'";  

当使用参数 \OR 1 = 1 -- 调用时,会导致:

SELECT goodies FROM stash WHERE secret='\' AND secret2=' OR 1 = 1 -- '

MySQL 会看到这样的结果:

SELECT goodies FROM stash WHERE secret='...' OR 1 = 1

即使不可能导致注入在这种情况下,其缺点使其不适合作为避免 SQL 注入的通用方法。

正如已经指出的,解决方案是使用准备好的语句。这是防止SQL注入攻击最可靠的方法。

I've had a think about this for a while and I can't see any way to inject SQL into this statement.

An SQL string that starts with a single quotes terminates at the next single quote unless it is escaped with a backslash or another quote (\' or ''). Since you are removing all single quotes there cannot be a doubled quote. If you escape the closing quote you will get an error, but no SQL injection.

However this method has a number of drawbacks:

  • Single quotes in the input are ignored.
  • Backslashes in the input aren't handled correctly - they will be treated as escape codes.
  • You get an error if the last character is a backslash.
  • If you later extend the query to add a second parameter, it would allow an SQL injection attack.

For example:

$SQL = "SELECT goodies FROM stash WHERE secret='" .  
    str_replace("'",'',$_POST['secret']) .  
"' AND secret2 = '" .
    str_replace("'",'',$_POST['secret2']) .  
"'";  

When called with parameters \ and OR 1 = 1 -- would result in:

SELECT goodies FROM stash WHERE secret='\' AND secret2=' OR 1 = 1 -- '

Which MySQL would see as something like this:

SELECT goodies FROM stash WHERE secret='...' OR 1 = 1

Even if it's impossible to cause an injection in this case the drawbacks make this unsuitable for a general purpose way to avoid SQL injection.

The solution, as already pointed out, is to use a prepared statement. This is the most reliable way to prevent SQL injection attacks.

意中人 2024-09-21 12:30:56

或许。
最好的办法是:

$query = sprintf("SELECT goodies FROM stash WHERE secret='%s'",
addcslashes(mysql_real_escape_string($_POST['secret']),'%_'));

May be.
The best way is:

$query = sprintf("SELECT goodies FROM stash WHERE secret='%s'",
addcslashes(mysql_real_escape_string($_POST['secret']),'%_'));
一影成城 2024-09-21 12:30:56

为什么不使用mysql_escape_string?是的,他可以,添加 " 而不是 ' 并且加上,我猜这个查询会给你一个错误。

Why just don't use mysql_escape_string? And yes, he could, adding " instead of ' and plus, this query will give you an error, I guess.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文