我可以对这段代码进行 SQL 注入吗?

发布于 2024-10-14 12:41:13 字数 457 浏览 9 评论 0原文

我仍在学习 SQL 注入,但对我来说最好的方法始终是使用示例,所以这是我代码的一部分:

$sql = "INSERT INTO `comments` (`id`, `idpost`, `comment`, `datetime`, `author`, `active`) 
        VALUES (NULL, '" . addslashes($_POST['idcomment']) . "', '" . 
        addslashes($_POST['comment']) . "', NOW(), '" . 
        addslashes($_POST['name']) . "', '1');";

  mysql_query($sql);

知道所有 POST 变量都是由用户输入的,你能告诉我如何进行注入吗这个脚本?这样我就可以更多地了解这个漏洞。谢谢!

我的数据库服务器是MySQL。

I'm still learning about SQL injection, but always the best way for me was using examples, so this is part of my code:

$sql = "INSERT INTO `comments` (`id`, `idpost`, `comment`, `datetime`, `author`, `active`) 
        VALUES (NULL, '" . addslashes($_POST['idcomment']) . "', '" . 
        addslashes($_POST['comment']) . "', NOW(), '" . 
        addslashes($_POST['name']) . "', '1');";

  mysql_query($sql);

Knowing that all the POST vars are entered by the user, can you show me how can i make an injection to this script? so i can understand more about this vulnerability. Thanks!

my database server is MySQL.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

月下伊人醉 2024-10-21 12:41:13

不要使用addslashes(),始终使用mysql_real_escape_string()。在已知的边缘情况下,addslashes() 是不够的< /a>.

如果从头开始做新的事情,最好使用支持准备好的语句的数据库包装器,如 PDO 或 mysqli。

Don't use addslashes(), always use mysql_real_escape_string(). There are known edge cases where addslashes() is not enough.

If starting something new from scratch, best use a database wrapper that supports prepared statements like PDO or mysqli.

凶凌 2024-10-21 12:41:13

大多数其他答案似乎完全忽略了这个问题的要点。

也就是说,根据上面的示例(尽管您的代码没有遵循 mysql_real_escape_string() 的最佳实践使用),当您使用 addslashes 时,我无法注入任何真正有害的内容()。

但是,如果您要省略它,用户可以在 name 字段中输入一个字符串,如下所示:

some name'; DROP TABLE comments; --

目标是结束当前语句,然后执行您自己的语句。 -- 是一条注释,用于确保处理注入的字符串后通常不会出现任何情况。

然而(再次),据我了解,MySQL 默认情况下会在单个语句执行结束时自动关闭数据库连接。因此,即使我确实尝试删除一个表,MySQL 也会导致第二条语句失败。

但这并不是唯一的 SQL 注入类型,我建议您阅读更多有关该主题的内容。我的研究发现了来自 dev.mysql.com 的这份文档,该文档非常好: http://dev.mysql.com/tech-resources/articles/guide-to-php-security-ch3.pdf


Edit, another thought:

根据数据进入数据库后发生的情况,我可能根本不想注入任何 SQL。我可能想注入一些 HTML/JavaScript,当您将数据发布回 跨站脚本(XSS)攻击。这也是需要注意的事情。

Most of the other answers seem to have missed the point of this question entirely.

That said, based on your example above (and despite your code not following the best practice use of mysql_real_escape_string()) it is beyond my ability to inject anything truly detrimental when you make use of addslashes().

However, if you were to omit it, a user could enter a string into the name field that looks something like:

some name'; DROP TABLE comments; --

The goal is to end the current statement, and then execute your own. -- is a comment and is used to make sure nothing that would normally come after the injected string is processed.

However (again), it is my understanding that MySQL by default automatically closes the DB connection at the end of a single statement's execution. So even if I did get so far as to try and drop a table, MySQL would cause that second statement to fail.

But this isn't the only type of SQL injection, I would suggest reading up some more on the topic. My research turned up this document from dev.mysql.com which is pretty good: http://dev.mysql.com/tech-resources/articles/guide-to-php-security-ch3.pdf


Edit, another thought:

Depending on what happens to the data once it goes to the database, I may not want to inject any SQL at all. I may want to inject some HTML/JavaScript that gets run when you post the data back out to a webpage in a Cross-Site Scripting (XSS) attack. Which is also something to be aware of.

花开柳相依 2024-10-21 12:41:13

如前所述,对于字符串,使用 mysql_real_escape_string() 而不是 addslashes()对于整数,使用intval()

/* little code cleanup */

$idcomment = intval($_POST['idcomment']);
$comment = mysql_real_escape_string($_POST['comment']);
$name = mysql_real_escape_string($_POST['name']);

$sql = "INSERT INTO comments (idpost, comment, datetime, author, active)
        VALUES ($idcomment, '$comment', NOW(), '$name', 1)";

mysql_query($sql);

As said before, for strings, use mysql_real_escape_string() instead of addslashes() but for integers, use intval().

/* little code cleanup */

$idcomment = intval($_POST['idcomment']);
$comment = mysql_real_escape_string($_POST['comment']);
$name = mysql_real_escape_string($_POST['name']);

$sql = "INSERT INTO comments (idpost, comment, datetime, author, active)
        VALUES ($idcomment, '$comment', NOW(), '$name', 1)";

mysql_query($sql);
吃兔兔 2024-10-21 12:41:13

Addslashes 仅处理引号。

但这里还有一些更重要的情况:

Be careful on whether you use double or single quotes when creating the string to be escaped:

$test = 'This is one line\r\nand this is another\r\nand this line has\ta tab';

echo $test;
echo "\r\n\r\n";
echo addslashes($test);

$test = "This is one line\r\nand this is another\r\nand this line has\ta tab";

echo $test;
echo "\r\n\r\n";
echo addslashes($test);

另一种情况:

In particular, MySQL wants \n, \r and \x1a escaped which addslashes does NOT do. Therefore relying on addslashes is not a good idea at all and may make your code vulnerable to security risks.

还有一种情况:

Be very careful when using addslashes and stripslashes in combination with regular expression that will be stored in a MySQL database. Especially when the regular expression contain escape characters!

To store a regular expression with escape characters in a MySQL database you use addslashes. For example:

$l_reg_exp = addslashes( �[\x00-\x1F]� );

After this the variable $l_reg_exp will contain: [\\x00-\\x1F].

When you store this regular expression in a MySQL database, the regular expression in the database becomes [\x00-\x1F].

When you retrieve the regular expression from the MySQL database and apply the PHP function stripslashes(), the single backslashes will be gone!

The regular expression will become [x00-x1F] and your regular expression might not work!

请记住,神奇的情况可能发生在:

  • addslashes
  • 添加到数据库之前,
  • 中,在检索后 它可能会错过某些内容来自数据库

您的示例只是摘录。真正的问题在这里可能还看不出来。


(基于 php.net 的评论,这些评论通常比手册更有价值本身)

Addslashes handles only quotes.

But there are some more important cases here:

Be careful on whether you use double or single quotes when creating the string to be escaped:

$test = 'This is one line\r\nand this is another\r\nand this line has\ta tab';

echo $test;
echo "\r\n\r\n";
echo addslashes($test);

$test = "This is one line\r\nand this is another\r\nand this line has\ta tab";

echo $test;
echo "\r\n\r\n";
echo addslashes($test);

Another one:

In particular, MySQL wants \n, \r and \x1a escaped which addslashes does NOT do. Therefore relying on addslashes is not a good idea at all and may make your code vulnerable to security risks.

And one more:

Be very careful when using addslashes and stripslashes in combination with regular expression that will be stored in a MySQL database. Especially when the regular expression contain escape characters!

To store a regular expression with escape characters in a MySQL database you use addslashes. For example:

$l_reg_exp = addslashes( �[\x00-\x1F]� );

After this the variable $l_reg_exp will contain: [\\x00-\\x1F].

When you store this regular expression in a MySQL database, the regular expression in the database becomes [\x00-\x1F].

When you retrieve the regular expression from the MySQL database and apply the PHP function stripslashes(), the single backslashes will be gone!

The regular expression will become [x00-x1F] and your regular expression might not work!

Remember, that the magic may happen in:

  • addslashes which may miss something
  • before adding to database
  • after retrieving from database

Your example is just an excerpt. The real problem might not be visible here yet.


(based on comments from php.net which are very often more valuable than the manual itself )

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文