对于SQL注入我应该知道的符号 [英] The symbols I should be aware of for SQL injection
问题描述
我知道您可以使用mysql_real_escape_string()(以及htmlspecialchars())治愈所有东西,但是我想知道导致所有人都想要摆脱的所有混乱的符号吗?
I know that you cure all of the stuff with mysql_real_escape_string() (and with htmlspecialchars()), but I want to know the symbols that cause all this mess everyone wants to get rid of?
这里的事情是,我们必须在这里将非我们建立的网站从一个主机转移到另一个主机.
The thing here is, that we here had to transfer a website not built by us from one host to another.
它是从头开始编码的,以利用现在已经不推荐使用的php-从未使用过的magic_quotes.
It has been coded from ground up, to utilize php's now deprecated and never loved one - magic_quotes.
在更改主机之后,也进行了php.ini更改,我们遇到了很多意外的结果.我们没有访问php.ini的权限,也没有访问user.ini(5.2.x)的权限,并且主机响应速度不足,无法启用某些其他功能.拉脱维亚的托管服务存在问题,这是一个主要问题.
After the host change there have been php.ini changes also, we encountered a lot of unexpected results. We don't have access to php.ini, there is no user.ini (5.2.x) and the host is is not responsive enough to enable us some extra features. There is a problem with hosting services here in Latvia, a major one.
但是,是的,这已经是题外话了.我只是想知道,哪些符号是没有转义,没有魔术引号且没有保护的符号会导致所有这些混乱?
But yeah, that's off-topic already. I simply want to know, which symbols are the ones that with no escaping, no magic quotes and no protection can cause all this mess?
此外,当文本包含类似/ls之类的东西时出现错误,该东西类似于UNIX(主机OS)目录列表命令-未实现方法.
Plus, there were error when text contained stuff like - /ls which resembles UNIX (the host OS) directory listing command - Method Not Implemented.
并且看起来网站在CLI环境中与数据库交互,因此出现了/ls问题.而且我想确认一下,只要您输入以/开头并遵循UNIX命令的值,就会出现未实现方法"错误.
And it looks like the website interacts with database in CLI environment, hence the /ls problem. And I want to confirm that whenever you input a value that starts with / and follows UNIX command- "Method Not Implemented" errors comes up.
P.S.我不是正在寻找解决方案,我已经解决了该错误.只是想知道符号.
P.S. I'm not looking for a solution, I've already fixed the error. Just want to know the symbols.
1)撰写问题时,我正在呼叫CLI看起来像socket呼叫-unix-domain/TCP.生活和学习!
1) As of writing the question, I was calling CLI what looks to be socket call- unix-domain / TCP. Live and learn!
2)如果您完整阅读了该问题,您会发现我正在修复其他开发人员留下的错误/漏洞.确实,我们接管了这些客户的IT服务,他们也希望我们接管他们的网站.
2) If you read the question fully, you'll see that I'm fixing bugs/holes left behind other developers. Sine we took over this clients IT servicing, they wanted us to take over their website too.
3)因为他们为当前网站支付了很多钱,所以他们不想为更新,更好的构建系统上的新网站支付更高的费用.
3) Because they have paid a lot of money for current website, they don't want to pay even more for a new one on a newer, better built system.
4)我猜脚本中的连接线是-$this->db = DB::connect('mysql://'._DB_USER.':'._DB_PASS.'@'._DB_HOST.'/'._DB_NAME.'');-unix-domain.
4) The connection line inside the scripts is - $this->db = DB::connect('mysql://'._DB_USER.':'._DB_PASS.'@'._DB_HOST.'/'._DB_NAME.''); - unix-domain I guess.
推荐答案
来自 PHP手册:
mysql_real_escape_string()调用MySQL的库函数 mysql_real_escape_string,将反斜杠添加到以下内容 字符:\ x00,\ n,\ r,\,',和\ x1a.
mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.
这篇关于对于SQL注入我应该知道的符号的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
