后置参数不可注入
我想了解为什么不能以 POST 参数形式注入 sql 语句。我用 sqlmap 和手动尝试过,但没有成功。
有一个定义的函数:
function mysql_get_result($sQuery, $hSocket) //$sQuery: mysql query,
$hSocket:MySQLSocket(mysql_connect).
{
$sResource = mysql_query($sQuery, $hSocket);
list($sValue) = mysql_fetch_row($sResource);
return $sValue;
}
并且有 POST 参数的实际查询:
(mysql_get_result("SELECT place FROM towns
WHERE place = '".$sR_place."' AND num = '".$iR_num."'", $hMySQLSocket)
== $sR_place and $sR_place != '')
根本没有输入清理。那么为什么它不起作用呢? sql注入是否仅在其mysql_query函数没有更多步骤执行时才起作用?
I want to understand why its not possible to inject sql statements in the form POST parameters. I tried it with sqlmap and manually without success.
There is a defined function:
function mysql_get_result($sQuery, $hSocket) //$sQuery: mysql query,
$hSocket:MySQLSocket(mysql_connect).
{
$sResource = mysql_query($sQuery, $hSocket);
list($sValue) = mysql_fetch_row($sResource);
return $sValue;
}
and there is the actual query for the POST parameter:
(mysql_get_result("SELECT place FROM towns
WHERE place = '".$sR_place."' AND num = '".$iR_num."'", $hMySQLSocket)
== $sR_place and $sR_place != '')
No input sanitiazion at all. So why isnt it working ? Does sql injection only work when its mysql_query function without more steps to do?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您的代码应该容易受到 SQL 注入的攻击,因为您没有使用 mysql_real_escape_string 进行清理,也没有参数化查询。
您应该尝试修改 POST 参数,因为问题很可能是您的攻击格式不正确。 尝试各种攻击。
Your code should vulnerable to SQL injection, since you're not sanitizing with
mysql_real_escape_string, or parameterizing the query.You should try revising your POST parameters, because the issue is most likely that your attack isn't properly formatted. Try a variety of attacks.