使用 union 和 load_file() 进行 SQL 注入
我的网站遭到 SQL 注入攻击。黑客在 URL 查询字符串中使用以下内容:
abc-buy.php?sid=144760&op=-3+union+all+select+1,2,3,4,5,6,7,load_file%28%22/etc/passwd%22%29
如何避免此类攻击?
My website has been attacked by SQL injection. Hacker used following in URL query string:
abc-buy.php?sid=144760&op=-3+union+all+select+1,2,3,4,5,6,7,load_file%28%22/etc/passwd%22%29
How can I avoid these kind of attacks?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
如何验证输入取决于输入是什么,但在这种情况下,很明显
-3+union+all+select+1,2,3,4,5,6,7,load_file% 28%22/etc/passwd%22%29不是 op 的有效输入(无论 op 是什么)。因此,在这种情况下,可能就像添加一些代码来检查“op”的值是否与预期值之一匹配一样简单。
您应该对从用户处收到的每个值执行此操作。尽管对于自由格式字段(例如电子邮件地址或评论等)而言,这比较棘手。但是,请确保它们是所匹配字段的有效数据,并在将任何自由格式字段插入数据库之前对其进行转义。这可能会造成以下差异:
和:
功能差异在于,对于第一个(未转义)版本,会执行 DROP TABLE users; 命令,而对于第二个版本,您只需插入一个新用户有一个又长又傻的名字
Robert");删除表用户;SELECT 1 WHERE "x"="。How to validate the input depends on what the input is, but in this case, it's probably pretty obvious that
-3+union+all+select+1,2,3,4,5,6,7,load_file%28%22/etc/passwd%22%29is not valid input for op (whatever op is).So in this case, it would probably be as simple as adding some code to check that the value for "op" matches one of the expected values.
You should do this for every value you receive from users. Although it's trickier for free-form fields, like email addresses or comments, etc. But still, make sure they are valid data for the field they're matching--and escape any free-form fields before you insert them into the database. That can make the difference between:
and:
The functional difference being that with the first (un-escaped) version, the
DROP TABLE users;command executes, and with the second, you simply insert a new user with a really long, silly name ofRobert"); DROP TABLE users; SELECT 1 WHERE "x"=".切换到 PDO 并使用带有占位符的准备好的语句来处理所有内容。
Switch to PDO and use prepared statements with placeholders for everything.
正如大多数答案所说,您应该转义保存到数据库中的所有内容(字段占位符)。
但我最近发现您应该转义查询中的所有占位符,因为没有它:
“FROM 子句”的占位符可能允许黑客访问任何表的数据。
“WHERE 子句”的占位符可能允许黑客访问当前表中的任何行。这意味着黑客在尝试登录时可以以数据库中的任何用户身份访问您的应用程序。
As most of the answers says, you should escape everything you save into your database (field placeholders).
But I have recently discovered that you should escape all place holders in your query, because without it:
Placeholders for the "FROM clause" could allow hackers to access any table's data.
Placeholders for the "WHERE clause", could allow hackers to any row in the current table. That means a hacker could access your app as any user in your database when trying to log in.
使用 zend 框架。默认情况下会阻止它
http://framework.zend.com/
或您放入数据库中的所有内容(您转义)。
http://php.net/manual/en/function.mysql -real-escape-string.php
use zend framework. that will by default prevent it
http://framework.zend.com/
or everything you put in the database you escape.
http://php.net/manual/en/function.mysql-real-escape-string.php