即使变量被转义，SQL 注入也会发生

发布于 2024-12-08 03:28:30 字数 1025 浏览 1 评论 0原文

仅当我的查询如下例所示时，sql 注入才会起作用

SELECT * FROM login WHERE id = $my_id_va;

假设如果我的查询是

SELECT * FROM login WHERE id = $my_id_va ORDER BY id DESC

那么我将收到以下错误

#1064 - 您的 SQL 语法有错误；检查手册与您的 MySQL 服务器版本相对应，以便使用正确的语法第 1 行“order by id desc”附近

因此，这个 1 或 1=1; SHOW TABLES 不起作用，对吗？

我的网站连续多次被黑客攻击。

我想要一个快速答案：当我的查询如下所示时，他们可以使用哪些方式或哪些类型的查询来攻击我的网站？

SELECT * FROM login WHERE id = $my_id_va ORDER BY id DESC

执行 show table< 的方法有哪些/code> 在下面的查询中，

SELECT * FROM login WHERE id = $my_id_va ORDER BY id DESC

我还使用转义函数来处理查询字符串值，例如 mysql_real_escape_string($my_id_va) 。是的，显然这是针对单一相关的黑客攻击，但不确定。

添加了更多内容

SELECT EventActuallyCharged, EventDate FROM tblevent WHERE EventDate between '2011-07-21 or 1=1; SHOW TABLES --' and '2011-07-31' ORDER BY EventDate DESC

，但显示表格不起作用

原文

The sql injection will work only when my query looks like below sample

SELECT * FROM login WHERE id = $my_id_va;

Assume if my query is

SELECT * FROM login WHERE id = $my_id_va ORDER BY id DESC

Than I will get following error

#1064 - You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near 'order by id desc' at line 1

So, this 1 or 1=1; SHOW TABLES will not work, correct?

My site was hacked successively many times.

I want one quick answer: When my query looks like the following one, what ways or which types of query can they use to hack my site?

SELECT * FROM login WHERE id = $my_id_va ORDER BY id DESC

What are the ways to execute the show table in the following query

SELECT * FROM login WHERE id = $my_id_va ORDER BY id DESC

I am also using escaping function to handle the query string values, like mysql_real_escape_string($my_id_va). Yes, obviously this for single related hack, but not sure.

Added some more

SELECT EventActuallyCharged, EventDate FROM tblevent WHERE EventDate between '2011-07-21 or 1=1; SHOW TABLES --' and '2011-07-31' ORDER BY EventDate DESC

but show table not worked

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

旧瑾黎汐 2024-12-15 03:28:31

1. 第一个查询以某种方式安全

$sql = sprintf('SELECT * FROM login WHERE id = %d ORDER BY id DESC', mysql_real_escape_string($my_id_va));

2. 第二个查询以某种方式安全

$sql = sprintf("SELECT EventActuallyCharged, EventDate FROM tblevent WHERE EventDate BETWEEN '%s' AND '%s' ORDER BY EventDate DESC", 
             mysql_real_escape_string($start_date),
             mysql_real_escape_string($end_date));

阅读有关 sprintf< 的文档/code>如果你不明白。

然而，正如其他人所说，如果您将参数化查询与诸如 PDO 或 < MySQLi。

1. First query somehow secured

$sql = sprintf('SELECT * FROM login WHERE id = %d ORDER BY id DESC', mysql_real_escape_string($my_id_va));

2. Second query somehow secured

$sql = sprintf("SELECT EventActuallyCharged, EventDate FROM tblevent WHERE EventDate BETWEEN '%s' AND '%s' ORDER BY EventDate DESC", 
             mysql_real_escape_string($start_date),
             mysql_real_escape_string($end_date));

Read the docs about sprintf if you don't understand it.

However, as others have said, it would be very very secure if you would use parameterized queries with a class such as PDO or MySQLi.

回复收藏 0 原文

晨与橙与城 2024-12-15 03:28:30

如果您使用 PHP5，请使用参数化查询，使用 PDO。

回复收藏 0 原文

可是我不能没有你 2024-12-15 03:28:30

Intcast

如果id是一个数字，你也可以对你的变量进行intcast。整数可以安全使用：

$x = (int)$yourInputVar;
$s = "select * from Table where id = $x";

mysql_real_escape_string

如果你想传递一个字符串，你可以而且应该使用mysql_real_escape_string，但是这个函数只转义字符串内的那些字符。您仍然需要在字符串周围添加引号，因此：

 $x = mysql_real_escape_string('hello');
 $s = "select * from Table where id = $x";

.. 将导致查询：select * from Table where id = hello。这显然不是一个有效的查询，因为 hello 应该用引号引起来。

将查询更改为：

 $x = mysql_real_escape_string('hello');
 $s = "select * from Table where id = '$x'";

.. 一切正常。您添加引号，mysql_real_escape_string 会处理字符串内的特殊字符（如果有）。

参数

另一种解决方案是使用参数化查询。这可以通过使用 MySQLi 或 PDO 来完成。优点是您只需告诉数据库应该在哪里插入变量，数据库会自行处理转义。

它还可能会增加性能优势，因为这些查询可以在没有参数的情况下进行缓存，从而更有效地利用查询缓存。不过，这在当前版本的 MySQL 中还不能真正起作用。

Int cast

If id is a number, you can int-cast your variable as well. Integers are safe to use:

$x = (int)$yourInputVar;
$s = "select * from Table where id = $x";

mysql_real_escape_string

If you want to pass a string, you can, and should, use mysql_real_escape_string, but this function escapes only those characters that are inside the string. You will still need to add quotes around the string, so:

 $x = mysql_real_escape_string('hello');
 $s = "select * from Table where id = $x";

.. will result in the query: select * from Table where id = hello. This is obiously not a valid query, since hello should be in quotes.

Change the query to:

 $x = mysql_real_escape_string('hello');
 $s = "select * from Table where id = '$x'";

.. and everything works fine. You add the quotes around, and mysql_real_escape_string takes care of special characters inside the string, if any.

Parameters

Another solution is to use parameterized queries. This can by done using MySQLi or PDO. The advantage is that you only tell your database where a variable should be inserted, and the database takes care of the escaping yourself.

It also may add a performance benefit, because these queries could be cached without their parameters, make a more efficient use of the query cache. This doesn't really work yet in current versions of MySQL, though.

回复收藏 0 原文