您可以“ SQL注入” PHP变量比较吗?
[英]Can you “SQL Inject” a PHP Variable Comparison?
问题描述
So something that I have been wondering about while working on a current project is if a simple variable comparison is in danger of "SQL Injection" type attacks when one of the variables is user entered. 
因此,在当前项目上工作时,我一直想知道的是,当用户输入一个变量时,简单的变量比较是否有遭受“ SQL Injection”类型攻击的危险。
My basic login functionality works by taking the user provided username and using a prepared statement to look it up in the profiles table. 我的基本登录功能通过采用用户提供的用户名并使用准备好的语句在配置文件表中进行查找来起作用。 If a record is found, the profileID is then retrieved from the record and used to look up the user's password in another permissions table. 如果找到记录,则从记录中检索profileID ,并将其用于在另一个权限表中查找用户的密码。 If THAT query is successful then the user provided password is === against the retrieved password from the database. 如果该查询成功,则用户提供的密码与从数据库中检索到的密码相对应=== 。
So my question is, does that last step pose a risk? 所以我的问题是,最后一步会带来风险吗? I have tried 'hacking it myself putting through values like a' == 'a' || 'a 我尝试过“自己通过输入a等值来破解它a' == 'a' || 'a a' == 'a' || 'a in an attempt to falsely trigger the $pass === $checkPermRow['pass'] but it doesn't seem to do anything. a' == 'a' || 'a试图错误地触发$pass === $checkPermRow['pass']但似乎没有任何作用。 Am I safe? 我安全吗?
1 个解决方案
解决方案1
2 已采纳 2014-05-26 05:36:23
If you use prepared statements and pass the input as parameters to the prepared statement, you're safe from SQL injections. 如果使用预处理语句并将输入作为参数传递给预处理语句,则可以避免SQL注入。 The parameters should be handled properly and it should not be possible that fragments of the passed parameters are interpreted as SQL code instead of data. 应该正确处理参数,并且不可能将传递的参数的片段解释为SQL代码而不是数据。 That's the exact point of parameterization, ie, the separation of code and data parameters. 这就是参数化的确切点,即代码和数据参数的分离。
So it should not be possible to inject anything into the query. 因此,应该不可能向查询中注入任何内容。 However, you should not store the passwords in plaintext but in a irreversible form as a hash using an appropriate hash function. 但是,您不应使用适当的哈希函数将密码以纯文本形式存储为哈希,并且不能以不可逆的形式存储。
As for your question whether an injection is also possible in PHP itself: Yes, code injection can happen in any code that gets generated dynamically, so even in PHP. 至于您的问题,是否还可以在PHP本身中进行注入:是的,代码注入可以发生在动态生成的任何代码中,甚至在PHP中也是如此。
However, you would need not just to generate the code dynamically but also execute it. 但是,您不仅需要动态生成代码,还需要执行它。 PHP has some functions that execute PHP), eg, the eval function . PHP具有执行PHP的一些功能,例如eval函数 。 However, you would probably not use constructs like this: 但是,您可能不会使用这样的构造:
if (eval("return '$pass' === '$checkPermRow[pass]';"))
This would be vulnerable to PHP code injection and a a' == 'a' || 'a 这将容易受到PHP代码注入和a' == 'a' || 'a攻击。 a' == 'a' || 'a would result in something like: a' == 'a' || 'a会导致类似:
return 'a' == 'a' || 'a' === 'password from database';
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.