[英]How to insert php codes into database?
I'm testing my mysql codes vulnerability. 我正在测试mysql代码漏洞。
This is the php injection: 这是php注入:
$myvar = "varname";
$x = $_GET['arg'];
eval("\$myvar = \$x;");
Or any other php code, like blow: 或任何其他php代码,例如打击:
<?php mysqli_close($conn); ?>
My purpose is to insert them into DB but don't execute them. 我的目的是将它们插入数据库,但不执行它们。
Actualy these codes are gonna inserted into DB from an html input form by a user and I wan to display them for the user.(sth like messaging) 实际上,这些代码将由用户从html输入表单插入DB中,我希望为用户显示它们。(例如消息传递)
Problem : 问题 :
The problem is that when I try to insert them into DB it fails, my insert query is this: 问题是,当我尝试将它们插入数据库失败时,我的插入查询是这样的:
mysqli_query($conn,"INSERT INTO table (usr,id,message,date) VALUES ($usr,'$id','$message','$date')");
The codes are in $message
. 代码在
$message
。
I also should add this validation function: 我还应该添加此验证功能:
function validate($data)
{
stripslashes($data);
htmlspecialchars($data);
htmlentities($data);
strip_tags($data);
addslashes($data);
return($data);
}
Before inserting $message
into DB I have validated it by this function validate($message)
but even this can't fix the problem. 在将
$message
插入数据库之前,我已经通过此函数validate($message)
对其进行了validate($message)
但是即使这样也无法解决问题。
Escape your input data with a real_escape_string
function: http://php.net/manual/en/mysqli.real-escape-string.php 使用
real_escape_string
函数转义您的输入数据: http : real_escape_string
Now you can safely create a legal SQL string that you can use in an SQL statement. 现在,您可以安全地创建可在SQL语句中使用的合法SQL字符串。
To insert code php in database, following this options : 1. To insert data, use htmlspecialchars. 要在数据库中插入代码php,请遵循以下选项:1.要插入数据,请使用htmlspecialchars。 example :
例如:
$string = '<?php echo "Hello world"; ?>';
htmlspecialchars($string);
Before read/get data, use htmlspecialchars_decode. 在读取/获取数据之前,请使用htmlspecialchars_decode。 Example :
htmlspecialchars_decode($string);
范例:
htmlspecialchars_decode($string);
Hope this maybe can help you :-) 希望这可以对您有所帮助:-)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.