PHP在mysqli where子句[Havij]中使用%
[英]PHP Using % inside mysqli where clause [Havij]
问题描述
So my website was open to SQL injection and exploited using Havij. 
因此,我的网站开放了SQL注入功能,并使用Havij进行了利用。 My question is for that program you can do a placeholder in the format of getVariable=%inject_Here% . 我的问题是,对于该程序,您可以使用getVariable=%inject_Here%的格式进行占位。
Now I know in a like statement you can use % as a wild card. 现在,我知道在类似的语句中,您可以将%用作通配符。
Do % signs have any significance inside an equals comparison? 百分号在相等比较内是否有意义? Or with that structure is it literally looking for the string "%inject_Here%". 或者使用这种结构,它实际上是在寻找字符串“%inject_Here%”。
I'm just trying to understand the format to help further prevent injection. 我只是想了解格式,以帮助进一步防止注入。
Any information on the subject would be appreciated! 关于这个问题的任何信息将不胜感激!
1 个解决方案
解决方案1
0 2015-03-17 01:30:35
You can convert a string to it's hexadecimal value. 您可以将字符串转换为它的十六进制值。 Here is a website about doing that in sql http://www.codeproject.com/Articles/610089/SQL-Servers-FORMAT-function#13 . 这是一个有关在sql中执行此操作的网站, 网址为http://www.codeproject.com/Articles/610089/SQL-Servers-FORMAT-function#13 。 Every Language has an easy to use method to convert strings to and from hexadecimal. 每种语言都有一种易于使用的方法来将字符串与十六进制进行相互转换。 This will enable you to place any character you want in the string. 这将使您能够将所需的任何字符放入字符串中。
If you are actually using percentages in a mathematical type of way, it is not proper to store them in your sql string. 如果您实际上是以数学方式使用百分比,则将它们存储在sql字符串中是不合适的。 You should store it in decimal format. 您应该以十进制格式存储它。 decimal(p,s) example decimal(5,2) 十进制(p,s)示例十进制(5,2)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.