SQL注入如今有风险吗? [英] Is SQL injection a risk today?

问题描述

我一直在阅读有关SQL注入攻击以及如何避免它们的信息，尽管我似乎永远无法使给出的糟糕"示例发挥作用，例如 请参阅此帖子 .

I've been reading about SQL injection attacks and how to avoid them, although I can never seem to make the "awful" examples given work, e.g. see this post.

我在数据库中创建了一个PHP文件和一个表，并通过$_GET传递了一个值，并尝试通过执行bob'); drop table students; --来删除该表，但该表不起作用. PHP自动转义\'，并且查询有错误，没有造成任何损害.尝试复制登录攻击"(如AND WHERE 1=1等)时出现相同的问题.

I created a PHP file and a table in the database, had a value passed through $_GET and tried to delete the table by doing bob'); drop table students; -- and it didn't work. PHP automatically escapes the \' and the query has an error, no harm done. Same issue when trying to replicate login "attacks" like AND WHERE 1=1 etc.

示例代码:

<?php
$id = $_GET['id'];

$sql = "INSERT INTO Users (Username) VALUES ($id)";
echo $sql;
mysql_query($sql) or die(mysql_error());

我会通过sql.php?id=1); delete from Users; --

那么，这是不是有些过时的东西曾经在PHP3或类似的东西上应用过?如今，即使是新手也能免受魔术引号之类的保护?

So is this some dated thing that used to apply in the days of PHP3 or something, and nowadays even novices are protected from things like magic quotes?

我正在Ubuntu上使用PHP5.

I'm using PHP5 on Ubuntu.

推荐答案

恰恰相反. 魔术引号在PHP5中已弃用，在PHP 5.4中将被完全删除，因为它们给程序设计界带来了更多混乱.检查魔术引号是否处于活动状态，并在必要时谨慎地转义任何SQL输入，这仍然是非常非常重要的...没有理由感到难过，我们都去过那里，无数的魔术引号保存了我不知不觉的屁股时间:)

Quite the contrary. Magic quotes are deprecated in PHP5 and will be completely removed in PHP 5.4, as they brought more confusion to the programming world than they did good. Checking whether magic quotes are active, and escaping any SQL input scrupulously if necessary, is still very, very important... No reason to feel bad though, we've all been there, and my unknowing ass has been saved by magic quotes countless times :)

PHP手册 解释了所有内容.

The PHP manual on magic quotes explains everything.

这篇关于SQL注入如今有风险吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！