SQL注入更改ID值 [英] SQL injection | Changing id values
问题描述
我陷入了SQL注入问题.我的页面显示表的数据,如下所示:
I'm stuck with an sql injection problem. My page displays the table's data as follows:
<input type="checkbox" name="id[]" value="<?php echo $row['id']; ?>" /><?php echo $row['data']; ?><br />
如何确定提交的值是此特定行的ID,而不是页面中注入的"随机数?
How can I be sure that the submitted value is the id of this specific row an not a random number "injected" in the page?
很明显,我将开始检查id是否将 true 返回到is_numeric()/通过mysql_real_escape_string().
Obviously, I would start checking that the id returns true to is_numeric() / get it through mysql_real_escape_string().
然后,我想到了两个选择:
Then, I thought of two options:
-
添加带有$ row ['data']副本的隐藏输入,以便我可以 在任何
mysql_query()
Adding a hidden input with a copy of the $row['data'] so that I can check the correspondence between the id and the data before any
mysql_query()
将行的ID从自动递增的数字更改为较大的随机数,以便降低幸运命中的机会.
Changing the row's id from an auto incremented number to a large random number, so that I could lower the chance of a lucky hit.
我错了吗?有更好的主意吗? 感谢您的帮助!
Do I have it wrong? Any better idea? Thanks for your help!
推荐答案
您不能.您的两种选择在根本上也存在缺陷:
You can't. Both of your options are fundamentally flawed as well:
- 可以更改复选框的值的方法可以很好地更改隐藏输入的值.
- 您的随机ID"仍然可以在Firebug的 Dev工具上看到或类似的工具.
- One that can change a checkbox's value can very well change a hidden input's value.
- Your "random IDs" can still be saw on Dev Tools, Firebug or similar tool.
您不必担心用户发送数据的方式,而应该担心数据是否有效以及用户是否有权执行给定操作.
Instead of worrying about how the user sent the data, you should worry whether the data is valid and whether the user has permission for the given action.
此外, is_numeric 也不是我的最爱将返回true的十六进制和指数表示法.我建议您使用 ctype_digit 进行检查,或者干脆用(int)演员,例如:
Also, is_numeric is not my favorite as it will return true for hex and exponential notation. I'd recommend checking with ctype_digit or simply do an (int) cast, e.g.:
if (!isset($_POST['id'])) die('invalid data');
$id = (int) $_POST['id'];
if ($id == 0) die('invalid id');
非数字字符串将转换为0,并且自动递增字段通常将1作为第一个值.如果0是有效值,则需要调整上面的代码,例如:
Non-numeric strings are converted to 0 and auto increment fields usually have 1 as the first value. In case 0 is a valid value you'll need to tweak the code above, e.g.:
if (!isset($_POST['id']) || !ctype_digit($_POST['id'])) die('invalid data');
$id = (int) $_POST['id'];
然后,检查给定的ID在您的数据库中是否存在.进行适当的权限检查即可.
Afterwards, check whether the given ID exists in your DB. Do the proper permission checks and that's it.
服务器如何获取数据无关紧要,重要的是数据是否有效以及用户是否有权执行给定的操作.您在前端/界面中所做的任何事情都可以很容易地被黑客或任何经验丰富的Web开发人员更改和操纵.
It doesn't matter how your server got the data, what matters is the data being valid and the user having permission to perform the given operation. Anything that you do in the front-end/interface can be easily changed and manipulated by a hacker or any mid-experienced web developer.
着眼于对未经授权的访问重新设置字符串并保持您的数据库完整性.无论是从您的页面,被篡改的页面还是通过终端发出请求,都可以轻松地将所有标题和发布的数据重现为貌似,这是从您的请求发出的页面.
Focus into restringing non-authorized access and keeping your DB integrity. It doesn't matter whether the request is being made from your page, from a tampered page or through a terminal, all the headers and posted data can be easily reproduced to look like a request being made from your page.
毕竟,我不确定您是否可以称其为"SQL注入".您的应用程序的功能需要一些包含整数值的输入.现在剩下的就是检查是否已经提供了必要的输入并且有效.所有用户输入都必须被视为不安全,并且必须经过正确验证和转义才能投入查询.
After all this, I'm not sure whether you can call this "SQL Injection". Your application's function requires some input which includes an integer value. Now what is left is checking whether the necessary input has been provided and is valid. All user input must be treated as unsafe and be properly validated and escaped before being throw into a query.
此外,请查看 PDO ,它可以很好地处理价值转义. mysql_*扩展名和mysql_real_escape_string函数已被弃用,极易出现人为错误.
Also, look into PDO which handles value escaping pretty well. The mysql_* extension and mysql_real_escape_string function are deprecated and very human-error prone.
关于防止SQL注入,链接线程
As for preventing against SQL injection, the linked thread in the question's comments is a good read.
这篇关于SQL注入更改ID值的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
