PHP MySQL $_GET 防黑客攻击
可能的重复:
在 PHP 中停止 SQL 注入的最佳方法
在 PHP 中停止 使用 $_GET 函数从 URL 检索变量如何使其防黑客?现在我只有 addSlashes,我还应该添加什么?
$variable1 = addslashes($_GET['variable1']);
//www.xxxxx.com/GetTest.php?variable1=xxxx
Possible Duplicate:
Best way to stop SQL Injection in PHP
If I were to use the $_GET function to retrieve a variable from the URL how can I make it hack proof? Right now I just have addSlashes, what else should I add?
$variable1 = addslashes($_GET['variable1']);
//www.xxxxx.com/GetTest.php?variable1=xxxx
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
对于任何输入的首要规则,不仅仅是 $_GET,甚至对于 $_POST、$_FILES 以及从磁盘或流中读取的任何内容,都应该始终进行验证。
现在更详细地回答你的问题,这个世界上存在一些黑客。让我向您展示一些:
XSS 注入
如果您接受来自 URL 的数据(例如来自 $_GET 的数据)并输出此数据而不删除可能的标签,则可能会使您的网站容易遭受 XSS 注入或代码注入。例如:
这将向您的网站输出黑客攻击,并且人们将被重定向到另一个页面。此页面可能是窃取凭据的网络钓鱼尝试
SQL 注入
可以将 SQL 注入到您的应用程序中。例如:
将使您的 SQL 看起来像这样:
因此您会将所有用户的密码更新为 Hello,然后返回不匹配的内容。
这只是 SQL 注入功能的简要概述。为了保护自己,请使用mysql_real_escape_string或PDO或任何好的数据库抽象层。
代码注入
很多人喜欢包含磁盘上某个位置的数据并允许上传文件。例如:
url 允许您按名称包含文件。 ?show=myhotfile.txt
该人将其更改为 ?show=../uploads/igotuploaded.txt,您将运行 echo 'Hello world';
那很危险。
经验法则...永远不要相信用户输入,总是验证、预防、验证、修复、验证并再次正确...
祝你好运
The first and foremost rule with ANY input, not just $_GET but even with $_POST, $_FILES and anything you read from disk or from a stream you should always VALIDATE.
Now to answer your question in more details, you have several HACKS that exist in this world. Let me show you some:
XSS injections
If you accept data from the URL such as from the $_GET and output this data without stripping out possible tags, you might render your site prone to XSS injection or code injection. For example:
This would output a hack to your site and people would be redirected to another page. This page could be a phishing attempt to steal credentials
SQL Injection
It is possible to inject SQL to your application. For example:
Would make your SQL look like this:
And thus you'd update all your user's password to Hello and then return something that doesn't match.
This is only a brief overview of what you can do with SQL injection. To protect yourself, use mysql_real_escape_string or PDO or any good DB abstraction layer.
Code injection
Lots of people like to include data from somewhere on the disk and allow uploads of files. For example:
And the url allows you to INCLUDE a file by name. ?show=myhotfile.txt
The person changes that to ?show=../uploads/igotuploaded.txt and you will run echo 'Hello world';
That is dangerous.
rule of thumb... NEVER TRUST USER INPUT, always validate, prevent, validate, fix, validate and again correct...
Good luck
这完全取决于你要用它做什么:
在不知道要如何处理数据的情况下,它无法说出会发生什么很安全。
That totally depends on what you are going to do with it:
Without knowing what you are going to do with your data, it is impossible to say what would make it safe.
使用用户输入(任何 HTTP 请求都算作用户输入)时面临的两个最大风险是:
您应该熟悉风险和防御措施。针对每种威胁的防御措施各不相同。使用addslashes()并不是一个完整的防御。
OWASP 十大项目是了解有关安全 Web 编程的更多信息的绝佳资源。
我做了一个关于SQL注入神话和谬论的演示我希望对你有帮助。
The two greatest risks you face when using user input (any HTTP request counts as user input) are:
You should get familiar with the risks and the defenses. The defenses for each of these threats are different. Using addslashes() is not a complete defense.
A great resource for learning more about secure web programming is the OWASP Top Ten project.
I've done a presentation about SQL Injection Myths and Fallacies that I hope is helpful for you.
原始读取 $_GET 变量并不危险,
危险通常存在于 SQL 注入中,
例如:
使用查询:
要防止这种情况:
Reading $_GET variables raw isn't dangerous,
The danger usually lies within SQL Injections,
for example:
With the query:
To prevent this: