绕过 mysql_real_escape_string 的保护
一些家伙向我发起挑战,要求我通过 SQL 注入他的代码。他说标题中的 PHP 函数应该足以满足这种情况。
$var = 'my malevolent input will be in here';
$var = mysql_real_escape_string($var);
$sql = "SELECT * FROM `users` WHERE `id` = '$var'";
mysql_query($sql);
我似乎无法绕过单引号转义。我应该使用什么作为 $var 的值? 我可以使用一些东西吗?
一如既往的感谢
Some dude challenged me to sql-inject his code. He said the PHP function in the title should suffice for this case.
$var = 'my malevolent input will be in here';
$var = mysql_real_escape_string($var);
$sql = "SELECT * FROM `users` WHERE `id` = '$var'";
mysql_query($sql);
I can't seem to bypass the single-quote escaping. What should I use as a value for $var? Can I use something?
Thanks, as always
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
不,使用
mysql_real_escape_string被认为对于任何输入都是安全的,除非字符编码不是使用mysql_client_encoding正确设置。No, using
mysql_real_escape_stringis considered to be safe for any input unless the character encoding is not set properly by usingmysql_client_encoding.虽然在某些条件下某些服务器版本可能存在深奥的漏洞,但据我所知,以这种方式使用 mysql_real_escape_string() 通常被认为是安全的。
While there may be esoteric exploits in certain server versions under certain conditions and such, as far as I know, using
mysql_real_escape_string()in this way is generally considered safe.代码中有错误:
$sql = "SELECT * FROM 'users' WHERE 'id' = '$var'";应为
$sql = "SELECT * FROM 'users' WHERE 'id' = '".$var."'";如果您不确定 id 是整数还是字符串。
如果您确定 id 始终是整数,则:
$sql = "SELECT * FROM 'users' WHERE 'id' = ".intval($var)并且您将安全地使用
mysql_real_escape_string();^_^You have an error in code:
$sql = "SELECT * FROM 'users' WHERE 'id' = '$var'";Should be
$sql = "SELECT * FROM 'users' WHERE 'id' = '".$var."'";If you a not sure if id is an integer or a string.
If you are sure that id is always an integer, then:
$sql = "SELECT * FROM 'users' WHERE 'id' = ".intval($var)And you will be safe with
mysql_real_escape_string();^_^