php中防xss攻击和sql注入详解 -php手册-php.cn

Home

php教程

php手册

php中防xss攻击和sql注入详解

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

May 25, 2016 pm 04:47 PM

php sql injection Prevent xss attacks

本文章简单的讲述了关于在php中防xss攻击和sql注入详解,有需了解的朋友可以参考一下下.

XSS攻击实例代码如下:

任意执行代码  
    文件包含以及CSRF.  
}

Copy after login

关于SQL攻击有很多文章还有各种防注入脚本,但是都不能解决SQL注入的根本问题

实例代码如下:

<?php  
    mysql_connect("localhost","root","123456")or die("数据库连接失败!");  
    mysql_select_db("test1");  
    $user=$_post[&#39;uid&#39;];  
    $pwd=$_POST[&#39;pass&#39;];  
    if(mysql_query("SELECT * from where  
    admin  
    = `username`=&#39;$user&#39; or `password`=&#39;$pwd&#39;"){  
    echo "用户成功登陆..";  
    } eles {  
    echo "用户名或密码出错";  
    }  
?>

Copy after login

很简单的一段代码,功能是用于检测用户名或密码是否正确,可是在一些恶意攻击者中提交一些敏感代码.后果可想而知.. post判断注入的方式有2种.

1.在form表单的文本框输入 "or'1'=1"或者"and 1=1"

在查询数据库的语句就应该是:

SELECT admin from where login = `user`=''or'1'=1' or `pass`='xxxx'

当然也不会出现什么错误,因为or在sql的语句中代表和,或的意思.当然也会提示错误.

当时我们已经发现了可以执行SQL语句之后就可以查询当前表的所有信息.例如:正确的管理员账户和密码进行登录入侵..

修复方式1:

使用javascript脚本过滤特殊字符(不推荐,指标不治本)

如果攻击者禁用了javascript还是可以进行SQL注入攻击..

修复方式2:

使用mysql的自带函数进行过滤.

实例代码如下:

<?php  
    // 省略连接数据库等操作..  
    $user=mysql_real_escape_string($_POST[&#39;user&#39;]);  
    mysql_query("select * from admin whrer `username`=&#39;$user&#39;");  
?>

Copy after login

既然前面说道了xss攻击,我们再来说说XSS攻击以及防范吧..

提交表单实例代码如下:

<form method="post" action="">  
    <intup tyep="text" name="test">  
    <intup tyep="submit" name="sub" value="提交">  
</form>

Copy after login

接收文件实例代码如下:

if(emptyempty($_POST[&#39;sub&#39;])){  
    echo $_POST[&#39;test&#39;];  
}

Copy after login

很简单的一段代码,在这里只是模拟了下使用场景..

加入攻击者提交实例代码如下:

在返回的页面就应该显示当前页面的cookie信息.

我们可以运用到某些留言板上（提前是没过滤的）,然后当管理员审核改条信息时盗取COOKIE信息,并发送到攻击者的空间或者邮箱..攻击者可以使用cookie修改器进行登陆入侵了..

当然解决方案也有很多..下面就介绍一个最常用的方式吧.

修复方案1:使用javascript进行转义

修复方案2:使用php内置函数进行转义

实例代码如下:

if(emptyempty($_POST[&#39;sub&#39;])){  
    $str=$_POST[&#39;test&#39;];  
    htmlentities($srt);  
    echo $srt;  
}

Copy after login

好了,关于SQL注入攻击和XSS攻击的案例与修复方法就讲的差不多了.

文章地址:

转载随意^^请带上本文地址!

Statement of this Website

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Hot AI Tools

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress images for free

Clothoff.io

AI clothes remover

Video Face Swap

Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Article

How to fix KB5055523 fails to install in Windows 11?

4 weeks ago By DDD

How to fix KB5055518 fails to install in Windows 10?

4 weeks ago By DDD

Roblox: Grow A Garden - Complete Mutation Guide

3 weeks ago By DDD

Roblox: Bubble Gum Simulator Infinity - How To Get And Use Royal Keys

3 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

How to fix KB5055612 fails to install in Windows 10?

3 weeks ago By DDD

Hot Tools

Notepad++7.3.1

Easy-to-use and free code editor

SublimeText3 Chinese version

Chinese version, very easy to use

Zend Studio 13.0.1

Powerful PHP integrated development environment

Dreamweaver CS6

Visual web development tools

SublimeText3 Mac version

God-level code editing software (SublimeText3)

Hot Topics

Java Tutorial

1664

CakePHP Tutorial

1421

Laravel Tutorial

1315

PHP Tutorial

1266

C# Tutorial

1239

Related knowledge

Explain JSON Web Tokens (JWT) and their use case in PHP APIs. Apr 05, 2025 am 12:04 AM

JWT is an open standard based on JSON, used to securely transmit information between parties, mainly for identity authentication and information exchange. 1. JWT consists of three parts: Header, Payload and Signature. 2. The working principle of JWT includes three steps: generating JWT, verifying JWT and parsing Payload. 3. When using JWT for authentication in PHP, JWT can be generated and verified, and user role and permission information can be included in advanced usage. 4. Common errors include signature verification failure, token expiration, and payload oversized. Debugging skills include using debugging tools and logging. 5. Performance optimization and best practices include using appropriate signature algorithms, setting validity periods reasonably,

Explain late static binding in PHP (static::). Apr 03, 2025 am 12:04 AM

Static binding (static::) implements late static binding (LSB) in PHP, allowing calling classes to be referenced in static contexts rather than defining classes. 1) The parsing process is performed at runtime, 2) Look up the call class in the inheritance relationship, 3) It may bring performance overhead.

What are PHP magic methods (__construct, __destruct, __call, __get, __set, etc.) and provide use cases? Apr 03, 2025 am 12:03 AM

What are the magic methods of PHP? PHP's magic methods include: 1.\_\_construct, used to initialize objects; 2.\_\_destruct, used to clean up resources; 3.\_\_call, handle non-existent method calls; 4.\_\_get, implement dynamic attribute access; 5.\_\_set, implement dynamic attribute settings. These methods are automatically called in certain situations, improving code flexibility and efficiency.

PHP and Python: Comparing Two Popular Programming Languages Apr 14, 2025 am 12:13 AM

PHP and Python each have their own advantages, and choose according to project requirements. 1.PHP is suitable for web development, especially for rapid development and maintenance of websites. 2. Python is suitable for data science, machine learning and artificial intelligence, with concise syntax and suitable for beginners.

PHP in Action: Real-World Examples and Applications Apr 14, 2025 am 12:19 AM

PHP is widely used in e-commerce, content management systems and API development. 1) E-commerce: used for shopping cart function and payment processing. 2) Content management system: used for dynamic content generation and user management. 3) API development: used for RESTful API development and API security. Through performance optimization and best practices, the efficiency and maintainability of PHP applications are improved.

PHP: A Key Language for Web Development Apr 13, 2025 am 12:08 AM

PHP is a scripting language widely used on the server side, especially suitable for web development. 1.PHP can embed HTML, process HTTP requests and responses, and supports a variety of databases. 2.PHP is used to generate dynamic web content, process form data, access databases, etc., with strong community support and open source resources. 3. PHP is an interpreted language, and the execution process includes lexical analysis, grammatical analysis, compilation and execution. 4.PHP can be combined with MySQL for advanced applications such as user registration systems. 5. When debugging PHP, you can use functions such as error_reporting() and var_dump(). 6. Optimize PHP code to use caching mechanisms, optimize database queries and use built-in functions. 7

Explain the match expression (PHP 8 ) and how it differs from switch. Apr 06, 2025 am 12:03 AM

In PHP8, match expressions are a new control structure that returns different results based on the value of the expression. 1) It is similar to a switch statement, but returns a value instead of an execution statement block. 2) The match expression is strictly compared (===), which improves security. 3) It avoids possible break omissions in switch statements and enhances the simplicity and readability of the code.

PHP vs. Python: Understanding the Differences Apr 11, 2025 am 12:15 AM

PHP and Python each have their own advantages, and the choice should be based on project requirements. 1.PHP is suitable for web development, with simple syntax and high execution efficiency. 2. Python is suitable for data science and machine learning, with concise syntax and rich libraries.

See all articles