Home Backend Development PHP Tutorial Use TP framework to imitate SQL attack injection

Use TP framework to imitate SQL attack injection

Mar 14, 2018 am 10:51 AM
attack frame injection

ImitationsqlInjection

##SEO:

1, if optimized, the title part is very important, the ## used to optimize the keywords of our website

#Search engines will classify your website based on keywords. If the website weight is high, when users search for keywords, they will see your website first

2, Japanese website --- points to the English website, indicating that the Japanese website voted for the English website. If the Japanese website voted for the English website, The more votes you cast, the better the English website is

PreventSQL injection:

1

, create a user login form

select()

will query all records

find()

Only one record will be queried

Write a simple username verification, write

'or 1 or' in the username form. Prompt that the username is correct,

# Thought question: Why did it succeed without verification?

#echo $model->getLastsql();//Print out the sql statement

After querying the executed

sql statement, we found that the cause of sql injection was the single quote

Because:

##1

, through php ##Magic quotes, to escape the data entered by the user The lower version of php is enabled by default, which will automatically Escape the data entered by the user

php.ini in

is enabled and changed to

Magic_quotes_gpc=On

can prevent correct verification

##2

and escape the data submitted by the user

Call the

addslashes()

function of php##$username= addslashes($_POST['username']);Use the addslashes function to process 3

, and use the ## of

thinkphp #System variablesGet external data $this->_server

## thinkphpSystem constants (4)

$this->_post('username', 'addslashes');

4, using arrayastp in the frame wherecondition

##5, directly write the query statement as

$list=$model->where('user_name="'.$username.'" and dept_id="'.$password.'"')-> select();The login will not be successful

Example:

//仿sql注入
public function login(){
 $this->display();
 }
public function verify(){
 //用户名'or 1 or'登录会提示登录成功,是不正确的
 //方法1修改ini.php
 $username=$_POST['username'];
 $password=$_POST['password'];
 //方法2
 /*$username=addslashes($_POST['username']);
 $password=$_POST['password'];
 //方法3
 $this->_post('username','addslashes');
 $password=$_POST['password'];
 //方法4数组
 $cond['user_name']=$username;
 $cond['dept_id']=$password;
 $list=$model->where($cond)->find();*/
 
 $model=M('User');
 //方法5
    // $list=$model->where('user_name="'.$username.'" and dept_id="'.$password.'"')->select();
  $list=$model->where("user_name='$username' and dept_id='$password'")->select();
  echo $model->getLastsql();//打印出sql语句
  if($list){
   echo '登录成功';
   }else{
    echo '登录失败';
    }
   
 }
Copy after login

tpl:

<form action="URL/verify" method="post">
用户名:<input type="text" name="username">
密码:<input type="text" name="password">
<input type="submit" value="提交">
</form>
Copy after login

The above is about how thinkphp prevents SQL injection attacks. There is more than one method. You can try to write it down and practice it.

Related recommendations:

Examples of methods to prevent SQL injection in PHP

The above is the detailed content of Use TP framework to imitate SQL attack injection. For more information, please follow other related articles on the PHP Chinese website!

Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Hot AI Tools

Undresser.AI Undress

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress AI Tool

Undress images for free

Clothoff.io

Clothoff.io

AI clothes remover

Video Face Swap

Video Face Swap

Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Tools

Notepad++7.3.1

Notepad++7.3.1

Easy-to-use and free code editor

SublimeText3 Chinese version

SublimeText3 Chinese version

Chinese version, very easy to use

Zend Studio 13.0.1

Zend Studio 13.0.1

Powerful PHP integrated development environment

Dreamweaver CS6

Dreamweaver CS6

Visual web development tools

SublimeText3 Mac version

SublimeText3 Mac version

God-level code editing software (SublimeText3)

How to evaluate the cost-effectiveness of commercial support for Java frameworks How to evaluate the cost-effectiveness of commercial support for Java frameworks Jun 05, 2024 pm 05:25 PM

Evaluating the cost/performance of commercial support for a Java framework involves the following steps: Determine the required level of assurance and service level agreement (SLA) guarantees. The experience and expertise of the research support team. Consider additional services such as upgrades, troubleshooting, and performance optimization. Weigh business support costs against risk mitigation and increased efficiency.

How does the learning curve of PHP frameworks compare to other language frameworks? How does the learning curve of PHP frameworks compare to other language frameworks? Jun 06, 2024 pm 12:41 PM

The learning curve of a PHP framework depends on language proficiency, framework complexity, documentation quality, and community support. The learning curve of PHP frameworks is higher when compared to Python frameworks and lower when compared to Ruby frameworks. Compared to Java frameworks, PHP frameworks have a moderate learning curve but a shorter time to get started.

How do the lightweight options of PHP frameworks affect application performance? How do the lightweight options of PHP frameworks affect application performance? Jun 06, 2024 am 10:53 AM

The lightweight PHP framework improves application performance through small size and low resource consumption. Its features include: small size, fast startup, low memory usage, improved response speed and throughput, and reduced resource consumption. Practical case: SlimFramework creates REST API, only 500KB, high responsiveness and high throughput

Performance comparison of Java frameworks Performance comparison of Java frameworks Jun 04, 2024 pm 03:56 PM

According to benchmarks, for small, high-performance applications, Quarkus (fast startup, low memory) or Micronaut (TechEmpower excellent) are ideal choices. SpringBoot is suitable for large, full-stack applications, but has slightly slower startup times and memory usage.

Golang framework documentation best practices Golang framework documentation best practices Jun 04, 2024 pm 05:00 PM

Writing clear and comprehensive documentation is crucial for the Golang framework. Best practices include following an established documentation style, such as Google's Go Coding Style Guide. Use a clear organizational structure, including headings, subheadings, and lists, and provide navigation. Provides comprehensive and accurate information, including getting started guides, API references, and concepts. Use code examples to illustrate concepts and usage. Keep documentation updated, track changes and document new features. Provide support and community resources such as GitHub issues and forums. Create practical examples, such as API documentation.

How to choose the best golang framework for different application scenarios How to choose the best golang framework for different application scenarios Jun 05, 2024 pm 04:05 PM

Choose the best Go framework based on application scenarios: consider application type, language features, performance requirements, and ecosystem. Common Go frameworks: Gin (Web application), Echo (Web service), Fiber (high throughput), gorm (ORM), fasthttp (speed). Practical case: building REST API (Fiber) and interacting with the database (gorm). Choose a framework: choose fasthttp for key performance, Gin/Echo for flexible web applications, and gorm for database interaction.

Java Framework Learning Roadmap: Best Practices in Different Domains Java Framework Learning Roadmap: Best Practices in Different Domains Jun 05, 2024 pm 08:53 PM

Java framework learning roadmap for different fields: Web development: SpringBoot and PlayFramework. Persistence layer: Hibernate and JPA. Server-side reactive programming: ReactorCore and SpringWebFlux. Real-time computing: ApacheStorm and ApacheSpark. Cloud Computing: AWS SDK for Java and Google Cloud Java.

What are the common misunderstandings in the learning process of Golang framework? What are the common misunderstandings in the learning process of Golang framework? Jun 05, 2024 pm 09:59 PM

There are five misunderstandings in Go framework learning: over-reliance on the framework and limited flexibility. If you don’t follow the framework conventions, the code will be difficult to maintain. Using outdated libraries can cause security and compatibility issues. Excessive use of packages obfuscates code structure. Ignoring error handling leads to unexpected behavior and crashes.

See all articles