第三课 sql注入及防护(2)

常见获取变量

$_GET  $_POST $_COOKIE $_SERVER

is_numeric()，ctype_digit() 正则表达式

mysql_real_escape_string() vs addslashes()

http://www.w3school.com.cn/php/func_mysql_real_escape_string.asp

 

http://www.cnblogs.com/Safe3/archive/2008/08/22/1274095.html

http://php.net/manual/en/info.configuration.php

get_magic_quotes_gpc的举例：

if (!get_magic_quotes_gpc()) {

$lastname = addslashes($_POST[‘lastname’]);

} else {

$lastname = $_POST[‘lastname’];

}

 

测试sql注入

1' and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(Hex(cast(database() as char))),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1

 

数据库报错信息泄露防范

1. 把php.ini文件 display_errors = Off
2. 数据库查询函数前面加一个@字符

http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=1'%20and(select%201%20from(select%20count(*),concat((select%20(select%20concat(0x7e,0x27,unhex(Hex(cast(database()%20as%20char))),0x27,0x7e))%20from%20information_schema.tables%20limit%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)%20and%20'1'='1&Submit=Submit#

 

http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=%27+union+select+user%2Cpassword+from+users%23&Submit=Submit

 

数字型的注入漏洞防护

1. is_numeric()，ctype_digit()，intval() 正则表达式
2. str_length()限制输入的字符长度

字符型的注入漏洞防护

1. mysql_real_escape_string()过滤
2. str_length()限制输入的字符长度

 

如何挖掘sql注入漏洞

常见获取变量

$_GET  $_POST $_COOKIE $_SERVER

数据库操作函数

mysql_query()

 

课后了解

http://www.w3school.com.cn/php/index.asp