对于SQL注入我应该知道的符号 [英] The symbols I should be aware of for SQL injection
问题描述
我知道您可以使用mysql_real_escape_string()
(以及htmlspecialchars()
)治愈所有东西,但是我想知道导致所有人都想要摆脱的所有混乱的符号吗?
I know that you cure all of the stuff with mysql_real_escape_string()
(and with htmlspecialchars()
), but I want to know the symbols that cause all this mess everyone wants to get rid of?
这里的事情是,我们必须在这里将非我们建立的网站从一个主机转移到另一个主机.
The thing here is, that we here had to transfer a website not built by us from one host to another.
它是从头开始编码的,以利用现在已经不推荐使用的php
-从未使用过的magic_quotes
.
It has been coded from ground up, to utilize php
's now deprecated and never loved one - magic_quotes
.
在更改主机之后,也进行了php.ini
更改,我们遇到了很多意外的结果.我们没有访问php.ini
的权限,也没有访问user.ini
(5.2.x)的权限,并且主机响应速度不足,无法启用某些其他功能.拉脱维亚的托管服务存在问题,这是一个主要问题.
After the host change there have been php.ini
changes also, we encountered a lot of unexpected results. We don't have access to php.ini
, there is no user.ini
(5.2.x) and the host is is not responsive enough to enable us some extra features. There is a problem with hosting services here in Latvia, a major one.
但是,是的,这已经是题外话了.我只是想知道,哪些符号是没有转义,没有魔术引号且没有保护的符号会导致所有这些混乱?
But yeah, that's off-topic already. I simply want to know, which symbols are the ones that with no escaping, no magic quotes and no protection can cause all this mess?
此外,当文本包含类似/ls
之类的东西时出现错误,该东西类似于UNIX(主机OS)目录列表命令-未实现方法.
Plus, there were error when text contained stuff like - /ls
which resembles UNIX (the host OS) directory listing command - Method Not Implemented.
并且看起来网站在CLI环境中与数据库交互,因此出现了/ls
问题.而且我想确认一下,只要您输入以/
开头并遵循UNIX命令的值,就会出现未实现方法"错误.
And it looks like the website interacts with database in CLI environment, hence the /ls
problem. And I want to confirm that whenever you input a value that starts with /
and follows UNIX command- "Method Not Implemented" errors comes up.
P.S.我不是正在寻找解决方案,我已经解决了该错误.只是想知道符号.
P.S. I'm not looking for a solution, I've already fixed the error. Just want to know the symbols.
1)撰写问题时,我正在呼叫CLI
看起来像socket
呼叫-unix-domain
/TCP
.生活和学习!
1) As of writing the question, I was calling CLI
what looks to be socket
call- unix-domain
/ TCP
. Live and learn!
2)如果您完整阅读了该问题,您会发现我正在修复其他开发人员留下的错误/漏洞.确实,我们接管了这些客户的IT服务,他们也希望我们接管他们的网站.
2) If you read the question fully, you'll see that I'm fixing bugs/holes left behind other developers. Sine we took over this clients IT servicing, they wanted us to take over their website too.
3)因为他们为当前网站支付了很多钱,所以他们不想为更新,更好的构建系统上的新网站支付更高的费用.
3) Because they have paid a lot of money for current website, they don't want to pay even more for a new one on a newer, better built system.
4)我猜脚本中的连接线是-$this->db = DB::connect('mysql://'._DB_USER.':'._DB_PASS.'@'._DB_HOST.'/'._DB_NAME.'');
-unix-domain
.
4) The connection line inside the scripts is - $this->db = DB::connect('mysql://'._DB_USER.':'._DB_PASS.'@'._DB_HOST.'/'._DB_NAME.'');
- unix-domain
I guess.
推荐答案
来自 PHP手册:
mysql_real_escape_string()调用MySQL的库函数 mysql_real_escape_string,将反斜杠添加到以下内容 字符:\ x00,\ n,\ r,\,',和\ x1a.
mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.
这篇关于对于SQL注入我应该知道的符号的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!