绕过 mysql_real_escape_string() 的 SQL 注入 [英] SQL injection that gets around mysql_real_escape_string()

问题描述

即使使用mysql_real_escape_string()函数，是否也有SQL注入的可能性?

Is there an SQL injection possibility even when using mysql_real_escape_string() function?

考虑这个示例情况.SQL 在 PHP 中是这样构造的:

Consider this sample situation. SQL is constructed in PHP like this:

$login = mysql_real_escape_string(GetFromPost('login'));
$password = mysql_real_escape_string(GetFromPost('password'));

$sql = "SELECT * FROM table WHERE login='$login' AND password='$password'";

我听到很多人对我说，即使使用了 mysql_real_escape_string() 函数，这样的代码仍然很危险并且可能被破解.但我想不出任何可能的漏洞?

I have heard numerous people say to me that code like that is still dangerous and possible to hack even with mysql_real_escape_string() function used. But I cannot think of any possible exploit?

像这样的经典注入:

aaa' OR 1=1 --

不工作.

您是否知道任何可能通过上述 PHP 代码进行的注入?

Do you know of any possible injection that would get through the PHP code above?

推荐答案

考虑以下查询:

$iId = mysql_real_escape_string("1 OR 1=1");    
$sSql = "SELECT * FROM table WHERE id = $iId";

mysql_real_escape_string() 不会保护您免受此攻击.您在查询中的变量周围使用单引号 (' ') 这一事实可以保护您免受这种情况的影响.以下也是一个选项:

mysql_real_escape_string() will not protect you against this. The fact that you use single quotes (' ') around your variables inside your query is what protects you against this. The following is also an option:

$iId = (int)"1 OR 1=1";
$sSql = "SELECT * FROM table WHERE id = $iId";

这篇关于绕过 mysql_real_escape_string() 的 SQL 注入的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！