ADOdb中的SQL注入和一般网站的安全性 [英] SQL injections in ADOdb and general website security
问题描述
我已经读了很多书,但仍然不了解100%某些SQL注入是如何发生的!
I have done pretty much reading and still don't understand 100% how some of the SQL injections happen!
我想从认识的人那里看到基于我的示例的SQL注入的具体示例,因此可以对其进行复制,测试和修复.我试图用SQL注入我的代码,但不能,所以我希望有人证明我的身份!
I'd like to see, from those who know, concrete examples of SQL injection based on my example, so it could be replicated, tested and fixed. I have tried to SQL inject my code and couldn't, so I'd like someone to prove me otherwise!
1.我说对了,SQL注入只能通过POST或GET方法进行,这意味着在网站上它应该是发布形式,例如注册或搜索"或"search.php?tags = love"之类的查询?
1.Am I right that SQL injection can happen ONLY with POST or GET methods, meaning that on the website it should be the post form, e.g. 'signup or search' or query like 'search.php?tags=love'?
这是否可能注入具有POST方法的以下代码?
Saying that is this possible to inject the following code that has POST method?
$name = trim($_POST['username']);
$mail = trim($_POST['email']);
$password = trim($_POST['password ']);
if ($errors == "false") {
$sql =
"INSERT INTO
clients
SET
name='" . mysql_real_escape_string($name) . "',
mail='" . mysql_real_escape_string($mail) . "',
password='" . mysql_real_escape_string(sha1($password)) . "'";
$connection->execute($sql);
}
2.另一个具有GET方法:rate.php?like&videoID=250&userID=30
2.The other one has GET method: rate.php?like&videoID=250&userID=30
$sql =
"SELECT
videoID
FROM
likes
WHERE
videoID = '" .mysql_real_escape_string($videoID). "' AND UID = '" .mysql_real_escape_string($userID). "' LIMIT 1";
$connection->execute($sql);
请帮助那些对此主题感到随意但使用具体示例的人.
Please help those that feel free with the subject but use the concrete examples.
预先感谢,
Ilia
Thanks in advance,
Ilia
推荐答案
当用户输入的编码不正确时,就会发生SQL注入攻击.通常,用户输入是用户随其查询发送的一些数据,即$_GET,$_POST,$_COOKIE,$_REQUEST或$_SERVER数组中的值.但是,用户输入也可以来自各种其他来源,例如套接字,远程网站,文件等.因此,您应该真正处理除常量之外的所有内容(例如'foobar')作为用户输入.
SQL injection attacks happen when user input is improperly encoded. Typically, the user input is some data the user sends with her query, i.e. values in the $_GET, $_POST, $_COOKIE, $_REQUEST, or $_SERVER arrays. However, user input can also come from a variety of other sources, like sockets, remote websites, files, etc.. Therefore, you should really treat everything but constants (like 'foobar') as user input.
在您发布的代码中, mysql_real_escape_string 用于编码(=转义)用户输入.因此,该代码是正确的,即不允许进行任何SQL注入攻击.
In the code you posted, mysql_real_escape_string is used to encode(=escape) user inputs. The code is therefore correct, i.e. does not allow any SQL injection attacks.
请注意,忘记对mysql_real_escape_string的调用非常容易-对于熟练的攻击者来说,一次就足够了!因此,您可能想将现代 PDO 与
Note that it's very easy to forget the call to mysql_real_escape_string - and one time is enough for a skilled attacker! Therefore, you may want to use the modern PDO with prepared statements instead of adodb.
这篇关于ADOdb中的SQL注入和一般网站的安全性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
