MySQL注入查询 [英] MySQL injection query
问题描述
我熟悉准备好的语句,并且我知道在防止MySQL注入方面,它们是最佳实践.但是我想知道这个PHP/MySQL语句可能会受到注入攻击的风险:
I'm familiar with prepared statements and I know that they are best practice when it comes to protecting against MySQL injection. But I'm wondering how this PHP/MySQL statement could be at risk of an injection attack:
$result = mysqli_query($db,"SELECT name FROM users WHERE id = '".$_POST['name']."';");
在我看来,用户输入的内容将包含在单引号内.您可以在一个mysqli_query
语句中执行多个查询吗?
It seems to me like the input from the user would be contained inside the single quotes. Can you execute more than one query in one mysqli_query
statement?
此外,使上述操作变得如此简单...
Also, is making the above safe just as easy as this...
$result = mysqli_query($db,"SELECT name FROM users WHERE id = '".mysqli_real_escape_string($_POST['name'])."';");
推荐答案
在我看来,用户输入的内容将包含在单引号内
It seems to me like the input from the user would be contained inside the single quotes
除非您在发布的name
中包含单引号,否则将使您不使用引号.例如,将名称发布为:
It would unless you include single quotes in the posted name
, which would allow you to break out of the quotes. Example, post the name as:
' or 1 or '
WHERE子句变为:
The WHERE clause becomes:
WHERE id = '' or 1 or '';
由于or 1
部分,这将匹配并检索表中的所有行.如您所见,它突破了引号,注入了一些SQL,然后又回到了引号中,以使查询有效.
This would match and retrieve all rows in the table because of the or 1
part. As you can see, it breaks out of the quotes to inject some SQL, then it goes back into the quotes to make the query valid.
您可以在一个
mysqli_query
语句中执行多个查询吗?
Can you execute more than one query in one
mysqli_query
statement?
否,但是如果使用mysqli_multi_query
执行,则可以在末尾添加多个查询.
No, but if it was executed with mysqli_multi_query
then yes you could add multiple queries on to the end.
使上述安全性与
mysqli_real_escape_string
一样容易吗?
通常是的,但是准备声明会更好.使用转义,WHERE
子句将变为(使用上面的示例):
Generally yes but a Prepared Statement would be better. Using escaping, the WHERE
clause would become (using my example above):
WHERE id = '\' or 1 or \'';
这不再是脆弱的,因为引号不能被打断,并且仅当name
字面匹配' or 1 or '
时才匹配行,这显然是不可能的.
This is no longer vulnerable because the quotes can't be broken out of, and would only match rows if the name
literally matches ' or 1 or '
which is obviously unlikely.
这篇关于MySQL注入查询的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!