[英]Protect against SQL injection
I'm developing a website and I'm trying to secure the connection part. 我正在开发一个网站,我正在努力保护连接部分。
I used the addslashes
function on $login
to stop SQL injection but some friends told me that's not enough security. 我在$login
上使用了addslashes
函数来停止SQL注入,但有些朋友告诉我安全性不够。 However, they didn't show me how to exploit this vulnerability. 但是,他们没有告诉我如何利用此漏洞。
How can I / could you break this code? 我怎么能/你能破坏这段代码? How can I secure it? 我该如何保护它?
<?php
if ( isset($_POST) && (!empty($_POST['login'])) && (!empty($_POST['password'])) )
{
extract($_POST);
$sql = "SELECT pseudo, sex, city, pwd FROM auth WHERE pseudo = '".addslashes($login)."'";
$req = mysql_query($sql) or die('Erreur SQL');
if (mysql_num_rows($req) > 0)
{
$data = mysql_fetch_assoc($req);
if ($password == $data['pwd'])
{
$loginOK = true;
}
}
}
?>
You should use mysql_real_escape_string for escaping string input parameters in a query. 您应该使用mysql_real_escape_string在查询中转义字符串输入参数。 Use type casting to sanitize numeric parameters and whitelisting to sanitize identifiers. 使用类型转换来清理数字参数和白名单以清理标识符。
In the referenced PHP page, there is an example of a sql injection in a login form. 在引用的PHP页面中,有一个登录表单中的sql注入示例。
A better solution would be to use prepared statements, you can do this by using PDO or mysqli . 更好的解决方案是使用预准备语句,您可以使用PDO或mysqli来完成 。
采用:
mysql_real_escape_string($inputToClean);
There's another gaping security hole - extract
. 还有另一个巨大的安全漏洞 - extract
。 It may save you from typing a few characters, but opens up holes too numerous to mention, for it will overwrite any global variables. 它可以避免输入几个字符,但是打开了太多无法提及的漏洞,因为它会覆盖任何全局变量。
What happens if I post this? 如果我发布这个会怎么样?
$_POST {
'login' => 'Admin',
'loginOK' => 1
}
Guess what, $loginOK is now == 1 , and I'll be logged in as Admin. 猜猜看,$ loginOK现在是== 1,我将以管理员身份登录。
Save yourself a lot of grief later, and just use the variables you want to use, instead of relying on the horrible hack that is extract
. 以后可以节省很多时间,只使用你想要使用的变量,而不是依赖于extract
的可怕黑客。
Apart from the usage of addslashes()
, these are some random issues found in this code: 除了使用addslashes()
,这些是本代码中的一些随机问题:
isset($_POST)
is always TRUE
, unless you run it from the command line. isset($_POST)
始终为TRUE
,除非您从命令行运行它。 You can probably remove it. 你可以删除它。 empty()
is very tricky. empty()
非常棘手。 For instance, if $password = '0'
then empty($password)
is TRUE . 例如,如果$password = '0'
empty($password)
为TRUE 。 if( isset($_POST['login']) && $_POST['login']!='' ){}
你可以这样做: if( isset($_POST['login']) && $_POST['login']!='' ){}
extract($_POST)
is a huge vulnerability: anyone can set variables in your code from outside. extract($_POST)
是一个巨大的漏洞:任何人都可以从外部设置代码中的变量。 $password == $data['pwd']
suggests that you are storing plain text passwords in your database. $password == $data['pwd']
表示您将纯文本密码存储在数据库中。 That's a terrible practice. 那是一种可怕的做法。 Google for "salted password". 谷歌为“盐渍密码”。 $loginOK = $password == $data['pwd'];
你也可以做$loginOK = $password == $data['pwd'];
. 。 Do you realise why? 你明白为什么吗? ;-) ;-) 你应该使用mysql_real_escape_string
而不是addslashes
。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.