SQL注入尝试PHP 5.2.6
[英]Sql injection attempt PHP 5.2.6
问题描述
Using PHP 5.2.6 in XAMPP : 
在XAMPP中使用PHP 5.2.6:
I read about sql injections here and tried that with the following login form : 我在这里阅读了有关sql注入的信息,并尝试使用以下登录表单进行了尝试:
<html><body>
<form method='post' action='login.php'>
<input type='text' name='user'/>
<input type='text' name='pass'/>
<input type='submit'/>
</form>
</body></html>
and php code : 和php代码:
<?php
$user = $_POST['user'];
$pass = $_POST['pass'];
$query = "Select * from users where user='$user' AND pass='$pass'";
echo $query;
mysql_connect('localhost','root','');
mysql_select_db('test');
$res = mysql_query($query);
if($res) $row = mysql_fetch_assoc($res);
if($row) echo 'yes';
?>
What I found out was, the $pass variable already had all the special characters escaped. 我发现,$ pass变量已经使所有特殊字符都转义了。 So, is there no need to use the mysql _ real _ escape _ string in PHP 5.2.6 then? 因此,有没有必要使用mysql _实际_逃脱_串在PHP 5.2.6呢?
3 个解决方案
解决方案1
4 2009-06-27 15:00:20
The values may be escaped due to Magic Quotes being enabled in your server configuration. 由于在服务器配置中启用了魔术引号 ,因此这些值可能会被转义。 Magic quotes are considered very bad, basically for the exact reason you mention. 魔术引号被认为是非常糟糕的,基本上是出于您提到的确切原因。 It is not safe to rely on a feature that may or may not be on to automagically escape your incoming data. 依靠可能会或可能不会开启的功能来自动转义输入数据是不安全的。 It is much better to do it yourself at run time. 这是更好的做自己的运行时间。
For more information on Magic quotes, and why they're bad, and how to disable them, take a look at a few of these SO questions/answers: 有关魔术引语,它们为什么不好以及如何禁用它们的更多信息,请查看以下一些SO问题/答案:
解决方案2
3 2009-06-27 15:01:13
No, I don't think you're right here. 不,我认为您不在这里。 Whether or not php magically escapes special characters in this example, the interpreter isn't going to perform mysql specific escaping on your query args. 在此示例中,无论php是否神奇地转义了特殊字符,解释器都不会对查询args执行mysql特定的转义。
I think it's extremely likely that there's a vulnerability in this code. 我认为该代码极有可能存在漏洞。
解决方案3
3 已采纳 2009-06-27 15:02:32
It is likely your PHP server is configure to use Magic Quotes . 您的PHP服务器可能已配置为使用Magic Quotes 。 A deprecated setting in PHP that automatically escapes all incoming data in a PHP script. PHP中不推荐使用的设置,该设置会自动转义PHP脚本中的所有传入数据。 It's deprecated and will be removed in PHP 6. Here are Zend's reasons for removing Magic Quotes. 它已弃用,并将在PHP 6中删除。 这是Zend删除魔术引号的原因 。
It's better to not rely on 'magic' that makes many things work but breaks others. 最好不要依靠“魔术”使很多事情起作用,但会破坏其他事情。 Explicitly escaping your input is more reliable and makes you design better code. 显式转义输入更可靠,并使您设计更好的代码。 For example, not all input needs to be escaped in the same way. 例如,并非所有输入都需要以相同的方式进行转义。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.