如何将可疑的 SQL 注入攻击安全地存储在数据库中?
我该如何将潜在的 SQL 注入攻击存储在数据库中?
首先假设我检测到潜在的攻击,并将有问题的攻击字符串放在变量中,并希望将其添加到包含可疑事件日志的表中。
我需要做什么才能安全地将这些字符串插入数据库以免产生错误?
我有一种感觉,这将是类似于 htmlspecialchars 和 mysql_real_escape_string 的东西......但我想把它扔在那里,看看其他人是否有任何想法!
一种想法是将攻击存储为编码的 base64 值,但这似乎有点 hackish...
仅供参考,我正在用 PHP 编写应用程序:)
任何回复将不胜感激!
How would I go about storing potential SQL injection attacks in a database?
Assume first that I have detected a potential attack, and have the offending attack string in a variable and would like to add it to a table containing a log of suspicious events.
What would I need to do to safely insert these strings into a database so that no errors would be produced?
I have a feeling that it will be something along the lines of htmlspecialchars and mysql_real_escape_string... but I wanted to throw it out there to see if anybody else had any ideas!
One thought was to store the attack as an encoded base64 value, but that seems a bit hackish...
FYI, I am writing the application in PHP :)
Any responses would be greatly appreciated!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
始终使用参数化查询。如果您使用参数,则不需要依赖转义字符串,并且您的查询将始终完全按照您的意图进行。
例如:
请参阅此处的 PDO 准备文档:
http://www.php.net/手册/en/pdo.prepare.php
Always use parameterized queries. If you are using parameters, you don't need to rely on escaping strings and your query will always do exactly what you intend.
e.g.:
See documentation for PDO prepare here:
http://www.php.net/manual/en/pdo.prepare.php
使用mysqli准备好的语句来存储查询,这是避免sql注入最安全的方法。如果您打算通过 Web 界面显示它们并担心 XSS/CSRF 攻击,请在显示它们之前使用
htmlspecialchars()。Use mysqli prepared statements to store the queries, it's the safest method to avoid sql injection. If you're going to display them via a web interface and concerned about XSS/CSRF attacks, use
htmlspecialchars()before displaying them.与存储任何其他数据的方式相同。
无论你如何称呼它,存储 SQL 注入攻击并没有什么特别的。
The same way you are storing any other data.
There is nothing special in storing SQL injection attacks, whatever you call it.
就像 Steve Mayne 所说...请使用 php PDO 连接和准备好的语句。现在是保险箱。不要再使用 mysql_connect() 和子函数,因为它已经过时了,并且您无法充分受益于新的 mysql / sql / 等 .. 函数。
Like Steve Mayne said ... please use php PDO connection with prepared statements. It's the safes right now . Don't user mysql_connect() and subfunctions anymore because it's old and you cannot fully benefit of new mysql / sql / etc .. funcitons .
我要做的就是通过简单的加密来运行它。
然后当你想显示可疑的sql时,你只需解密它即可。
这应该确保可疑的 sql 语句不会在您的数据库上执行。
All I would do is run it though a simple encryption.
Then when you want to show the suspected sql, you would just decrypt it.
This should insure the suspected sql statement does not get executed on your db.