有人入侵了我的数据库-怎么办? [英] Someone has hacked my database - how?

问题描述

有人入侵了我的数据库并删除了表.

Someone has hacked my database and has dropped the table.

在我的PHP页面中，有一个查询正在使用mysql_real_escape_string:

In my PHP page there is one single query where I am using mysql_real_escape_string:

$db_host="sql2.netsons.com";
$db_name="xxx";
$username="xxx";
$password="xxx";    

$db_con=mysql_connect($db_host,$username,$password);    

$connection_string=mysql_select_db($db_name);
mysql_connect($db_host,$username,$password);    
mysql_set_charset('utf8',$db_con); 

$email= mysql_real_escape_string($_POST['email']);
$name= mysql_real_escape_string($_POST['name']);
$sex= mysql_real_escape_string($_POST['sex']);    

if($_POST['M']!=""){  $sim = 1;  }else {  $sim = 0;   }

$query = "INSERT INTO `users` (`email`, `name`, `sex`, `M`) VALUES
( '".$email."', '".ucwords(strtolower($name))."', '".$sex."','".$sim."')";    

$res = mysql_query($query) or die("Query fail: " . mysql_error() );

mysql_close($db_con);

register_globals已被禁用.

那么，我的数据库是如何被黑客入侵的?

So, how was my database hacked?

推荐答案

MySQL连接.如果未指定链接标识符，则假定使用mysql_connect()打开的最后一个链接.如果找不到这样的链接，它将尝试创建一个链接，就好像没有参数调用mysql_connect()一样.如果未找到或未建立任何连接，则会生成E_WARNING级别的错误.

The MySQL connection. If the link identifier is not specified, the last link opened by mysql_connect() is assumed. If no such link is found, it will try to create one as if mysql_connect() was called with no arguments. If no connection is found or established, an E_WARNING level error is generated.

如此处所述: mysql_real_escape_string()完全可以防止SQL注入吗?

根据您的代码段，您已两次连接数据库.

Based on your code snippet, you have connected database twice.

$db_con=mysql_connect($db_host,$username,$password);    

$connection_string=mysql_select_db($db_name);
mysql_connect($db_host,$username,$password);    
mysql_set_charset('utf8',$db_con); 

您没有提供以下数据库链接标识符:

And you did not supply the database link identifier for :

$email= mysql_real_escape_string($_POST['email']);
$name= mysql_real_escape_string($_POST['name']);
$sex= mysql_real_escape_string($_POST['sex']); 

因此，对于多字节字符，mysql_set_charset对提供的真正转义无效.$_POST.

Therefore, mysql_set_charset has no effect to real escape supplied$_POST for multi-bytes characters.

建议

• 删除第二个mysql_connect($db_host,$username,$password);
• 在执行mysql_real_escape_string时明确添加$db_con

• remove the second mysql_connect($db_host,$username,$password);
• explicitly add $db_con when doing mysql_real_escape_string

这篇关于有人入侵了我的数据库-怎么办?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！