绕过 mysql_real_escape_string() 的 SQL 注入 [英] SQL injection that gets around mysql_real_escape_string()
问题描述
即使使用mysql_real_escape_string()
函数,是否也有SQL注入的可能性?
Is there an SQL injection possibility even when using mysql_real_escape_string()
function?
考虑这个示例情况.SQL 在 PHP 中是这样构造的:
Consider this sample situation. SQL is constructed in PHP like this:
$login = mysql_real_escape_string(GetFromPost('login'));
$password = mysql_real_escape_string(GetFromPost('password'));
$sql = "SELECT * FROM table WHERE login='$login' AND password='$password'";
我听到很多人对我说,即使使用了 mysql_real_escape_string()
函数,这样的代码仍然很危险并且可能被破解.但我想不出任何可能的漏洞?
I have heard numerous people say to me that code like that is still dangerous and possible to hack even with mysql_real_escape_string()
function used. But I cannot think of any possible exploit?
像这样的经典注入:
aaa' OR 1=1 --
不工作.
您是否知道任何可能通过上述 PHP 代码进行的注入?
Do you know of any possible injection that would get through the PHP code above?
推荐答案
考虑以下查询:
$iId = mysql_real_escape_string("1 OR 1=1");
$sSql = "SELECT * FROM table WHERE id = $iId";
mysql_real_escape_string()
不会保护您免受此攻击.您在查询中的变量周围使用单引号 (' '
) 这一事实可以保护您免受这种情况的影响.以下也是一个选项:
mysql_real_escape_string()
will not protect you against this.
The fact that you use single quotes (' '
) around your variables inside your query is what protects you against this. The following is also an option:
$iId = (int)"1 OR 1=1";
$sSql = "SELECT * FROM table WHERE id = $iId";
这篇关于绕过 mysql_real_escape_string() 的 SQL 注入的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!