我可以对这段代码进行 SQL 注入吗?
我仍在学习 SQL 注入,但对我来说最好的方法始终是使用示例,所以这是我代码的一部分:
$sql = "INSERT INTO `comments` (`id`, `idpost`, `comment`, `datetime`, `author`, `active`)
VALUES (NULL, '" . addslashes($_POST['idcomment']) . "', '" .
addslashes($_POST['comment']) . "', NOW(), '" .
addslashes($_POST['name']) . "', '1');";
mysql_query($sql);
知道所有 POST 变量都是由用户输入的,你能告诉我如何进行注入吗这个脚本?这样我就可以更多地了解这个漏洞。谢谢!
我的数据库服务器是MySQL。
I'm still learning about SQL injection, but always the best way for me was using examples, so this is part of my code:
$sql = "INSERT INTO `comments` (`id`, `idpost`, `comment`, `datetime`, `author`, `active`)
VALUES (NULL, '" . addslashes($_POST['idcomment']) . "', '" .
addslashes($_POST['comment']) . "', NOW(), '" .
addslashes($_POST['name']) . "', '1');";
mysql_query($sql);
Knowing that all the POST vars are entered by the user, can you show me how can i make an injection to this script? so i can understand more about this vulnerability. Thanks!
my database server is MySQL.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
不要使用
addslashes()
,始终使用mysql_real_escape_string()
。在已知的边缘情况下,addslashes() 是不够的< /a>.如果从头开始做新的事情,最好使用支持准备好的语句的数据库包装器,如 PDO 或 mysqli。
Don't use
addslashes()
, always usemysql_real_escape_string()
. There are known edge cases where addslashes() is not enough.If starting something new from scratch, best use a database wrapper that supports prepared statements like PDO or mysqli.
大多数其他答案似乎完全忽略了这个问题的要点。
也就是说,根据上面的示例(尽管您的代码没有遵循 mysql_real_escape_string() 的最佳实践使用),当您使用 addslashes 时,我无法注入任何真正有害的内容()。
但是,如果您要省略它,用户可以在
name
字段中输入一个字符串,如下所示:目标是结束当前语句,然后执行您自己的语句。
--
是一条注释,用于确保处理注入的字符串后通常不会出现任何情况。然而(再次),据我了解,MySQL 默认情况下会在单个语句执行结束时自动关闭数据库连接。因此,即使我确实尝试删除一个表,MySQL 也会导致第二条语句失败。
但这并不是唯一的 SQL 注入类型,我建议您阅读更多有关该主题的内容。我的研究发现了来自 dev.mysql.com 的这份文档,该文档非常好: http://dev.mysql.com/tech-resources/articles/guide-to-php-security-ch3.pdf
Edit, another thought:
根据数据进入数据库后发生的情况,我可能根本不想注入任何 SQL。我可能想注入一些 HTML/JavaScript,当您将数据发布回 跨站脚本(XSS)攻击。这也是需要注意的事情。
Most of the other answers seem to have missed the point of this question entirely.
That said, based on your example above (and despite your code not following the best practice use of
mysql_real_escape_string()
) it is beyond my ability to inject anything truly detrimental when you make use ofaddslashes()
.However, if you were to omit it, a user could enter a string into the
name
field that looks something like:The goal is to end the current statement, and then execute your own.
--
is a comment and is used to make sure nothing that would normally come after the injected string is processed.However (again), it is my understanding that MySQL by default automatically closes the DB connection at the end of a single statement's execution. So even if I did get so far as to try and drop a table, MySQL would cause that second statement to fail.
But this isn't the only type of SQL injection, I would suggest reading up some more on the topic. My research turned up this document from dev.mysql.com which is pretty good: http://dev.mysql.com/tech-resources/articles/guide-to-php-security-ch3.pdf
Edit, another thought:
Depending on what happens to the data once it goes to the database, I may not want to inject any SQL at all. I may want to inject some HTML/JavaScript that gets run when you post the data back out to a webpage in a Cross-Site Scripting (XSS) attack. Which is also something to be aware of.
如前所述,对于字符串,使用 mysql_real_escape_string() 而不是 addslashes() 但对于整数,使用intval()。
As said before, for strings, use mysql_real_escape_string() instead of addslashes() but for integers, use intval().
Addslashes 仅处理引号。
但这里还有一些更重要的情况:
另一种情况:
还有一种情况:
请记住,神奇的情况可能发生在:
addslashes
您的示例只是摘录。真正的问题在这里可能还看不出来。。
(基于 php.net 的评论,这些评论通常比手册更有价值本身)
Addslashes handles only quotes.
But there are some more important cases here:
Another one:
And one more:
Remember, that the magic may happen in:
addslashes
which may miss somethingYour example is just an excerpt. The real problem might not be visible here yet.
(based on comments from php.net which are very often more valuable than the manual itself )