简体   繁体   English

如何防止URL盲注SQL攻击

[英]How to prevent URL blind sql injection attack

I have a website which is online ,i am using acunetix for checking web vulnerabilities in my website. 我有一个在线的网站,我正在使用acunetix来检查我网站中的Web漏洞。 while scanning using acunetix it showed a high risk alert in url blind sql injection.(i am not putting the code due to its long length) 在使用acunetix进行扫描时,它在URL盲注sql注入中显示了高风险警报。(由于长度太长,我不放置代码)

eg :url showing vuln 例如:url显示vuln

   www.site.com/phpfile.php?1d=1 

i am using mysql_real_escape_string function ;after this also its showing high risk alert. 我正在使用mysql_real_escape_string函数;在此之后它还会显示高风险警报。 how do i prevent it... 我该如何预防...

and if any one new can you please tell me how i can hide(with out using .htacess; in my server .htacess is not working) the ?id=1 如果有任何新消息,可以告诉我如何隐藏(不使用.htacess;在我的服务器中.htacess无法正常工作)?id = 1

eg: when the user clicks the query it should show this 例如:当用户单击查询时,应显示此内容

   www.site.com/phpfile.php

instead of 代替

   www.site.com/phpfile.php?1d=1 

Pardon my english and advance thanks for the help 请原谅我的英语,并提前感谢您的帮助

You should escape strings using mysql_real_escape_string() , but when the expected input is an integer it never helps (if the user input isn't quoted in the query, it won't really make any difference) - you should cast it to an integer instead, either using (int) or the intval() function. 您应该使用mysql_real_escape_string()来转义字符串,但是当期望的输入是整数时,它就无济于事(如果查询中未引用用户输入,则不会有任何区别)-您应该将其转换为整数而是使用(int)intval()函数。

Also, I highly recommended you to work with prepared statements (eg PDO ) or an ORM layer (eg Doctrine ). 另外,我强烈建议您使用准备好的语句(例如PDO )或ORM层(例如Doctrine )。

if any one new can you please tell me how i can hide the ?id=1 如果有任何新消息,请告诉我如何隐藏?id = 1

There is absolutely no point in that. 绝对没有意义。
Hiding adds nothing to security. 隐藏不会增加安全性。
And viewing user's profile should be done with GET method, not POST. 查看用户的个人资料应使用GET方法而非POST完成。

i am using mysql_real_escape_string function 我正在使用mysql_real_escape_string函数

This function has nothing to do with injections. 此功能与进样无关。 It is called not "mysql_prevent_injection", but "mysql_real_escape_string". 它不是“ mysql_prevent_injection”,而是“ mysql_real_escape_string”。 So, it is used merely to format strings. 因此,它仅用于格式化字符串。 And have to be used for strings only. 并且必须仅用于字符串。
If you want to treat your data as a string, you have to put it in quotes. 如果要将数据视为字符串,则必须将其用引号引起来。 So, mysql would know it's a string. 因此,mysql会知道它是一个字符串。
One have always use these 2 things together - quotes and escaping. 一个人总是一起使用这两个东西-引号和转义。 They are useless one without another. 他们一无是处,毫无用处。

If you don't want to treat your number as a string, format it as a number. 如果您不想将数字视为字符串,请将其格式化为数字。

$id = intval($_GET['id']);

You have to format every part of the string according to it's type, not just use some functions at random. 您必须根据字符串的类型来格式化字符串的每个部分,而不仅仅是随机使用某些函数。

If you know that your id should be a number you can use: 如果您知道自己的ID应该是数字,则可以使用:

if(is_numeric($_GET['id'])){
    $id = mysql_real_escape_string($_GET['id']);
}
else{
    ;///////display error
}

您可以使用POST请求而不是GET轻松隐藏?id=1

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM