The first chapter SQL Injection
Security Configuration and programming security is not foolproof method, an attacker can often find a new breakthrough by temptations of vulnerability, even 0days.
The following summarizes the following common vulnerabilities, can pay attention to in their daily development and maintenance work.
* Talk to an old friend: SQL injection vulnerability
Years ago I was an undergraduate junior year when he did the experiment again offensive and defensive about SQL injection, SQL injection in WEB1.0 era is a very common means of attack, especially some ancient times ASP, PHP sites, they often are injection mention the right.
Simply put SQL injection is to use the url parameter request, constantly trying to get database information from the field to guess, speculate table, even to the last storm the library to get background administrator account password.
Common types
A. injection given
assuming that the parameters may be delivered url, such as:
https://learnhackerphp.com/search?username=freephp
The original sql is:
select * from users where name = 'freephp'
However, we view the input box in the browser:
The sql statement becomes:
select * from users where name='frephp'lol'
This causes the sql statement execution error, if we opened the error debugging, error may stack the database will print the page to the browser, which can be exploited ulterior motives generation. Set display_errors = Off after a certain line on the site.
B. ordinary injection
Examples are as follows:
https://localhost/search.php?name=name' OR 'a'='a
最终SQL为:
select * from user whre name=' name' OR 'a' ='a'
This became a universal query, you can be found in any of the data you want, using the union and compound statements, and even can get to any data in the database.
C. implicit type injection
First look at the default MySQL query optimizer processed into the Senate:
| Input Type | Table Field Type | Type after conversion |
|---|---|---|
| NULL | Any type | NULL |
| STRING | STRING | STRING |
| INT | INT | INT |
| INT | STRING | DOUBLE |
| INT | DOUBLE | DOUBLE |
| INT | TIMESTAMP | TIMESTAMP |
| Any type | DECIMAL | DECIMAL |
| Any type | Hex | Binary |
Write the following sql:
select * from user whre address=0
You can get all the data to the table
D. no routine way of temptation
For example, a number of other additional execute commands in SQL statements which, such as:
select * from user where if (MID(version(), 1, 1) LIKE 5, sleep(5), 1)
If we really let MySQL query sleep 5 seconds, indicating that MySQL version 5.
Finished common SQL injection, then how to prevent it. In fact, PHP has provided some excellent pretreatment.
You can use PDO or mysqli * family of functions, for precompiled sql statement, to prevent sql injection.
<?php
require_once('../conf/db.php');
$pdo = new PDO($dns, $user, $password);
// ... some logic codes
$sql = 'insert into user (name,address) values(:name,:address)';
$stmt = $pdo->prepare($sql);
$name = "freephp'hack";
$address= "CDC,china";
// 绑定参数
$stmt->bindParam(':name', $name);
$stmt->bindParam(':address', $address);
$stmt->execute();
if ($stmt->errorCode() == 0) {
echo "insert success";
} else {
print_r($stmt->errorInfo());
}However, in default, the PDO is not really make MySQL execution of prepared statement, be sure to add the following code:
$pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO:ERRMODE_EXCEPTION);
In addition, we should also determine the parameters for the user, such as the validity of judgment, determine the type, even add some type of effective array of constraints.
Do not trust any data from the user, never leave a pessimistic lock, even if you are a doomed optimist.