ADOdb 中的 SQL 注入和一般网站安全 [英] SQL injections in ADOdb and general website security
问题描述
我已经读了很多书,但仍然没有 100% 理解某些 SQL 注入是如何发生的!
I have done pretty much reading and still don't understand 100% how some of the SQL injections happen!
我想从那些知道的人那里看到基于我的示例的 SQL 注入的具体示例,以便它可以被复制、测试和修复.我曾尝试 SQL 注入我的代码,但没有成功,所以我希望有人能证明我不是这样!
I'd like to see, from those who know, concrete examples of SQL injection based on my example, so it could be replicated, tested and fixed. I have tried to SQL inject my code and couldn't, so I'd like someone to prove me otherwise!
1.SQL 注入只能通过 POST 或 GET 方法发生,这意味着在网站上它应该是发布表单,例如注册或搜索"或search.php?tags=love"之类的查询?
1.Am I right that SQL injection can happen ONLY with POST or GET methods, meaning that on the website it should be the post form, e.g. 'signup or search' or query like 'search.php?tags=love'?
说这可以注入下面有POST方法的代码吗?
Saying that is this possible to inject the following code that has POST method?
$name = trim($_POST['username']);
$mail = trim($_POST['email']);
$password = trim($_POST['password ']);
if ($errors == "false") {
$sql =
"INSERT INTO
clients
SET
name='" . mysql_real_escape_string($name) . "',
mail='" . mysql_real_escape_string($mail) . "',
password='" . mysql_real_escape_string(sha1($password)) . "'";
$connection->execute($sql);
}
2.另一个有GET方法:rate.php?like&videoID=250&userID=30
2.The other one has GET method: rate.php?like&videoID=250&userID=30
$sql =
"SELECT
videoID
FROM
likes
WHERE
videoID = '" .mysql_real_escape_string($videoID). "' AND UID = '" .mysql_real_escape_string($userID). "' LIMIT 1";
$connection->execute($sql);
请帮助那些对主题随意但使用具体示例的人.
Please help those that feel free with the subject but use the concrete examples.
提前致谢,
伊利亚
Thanks in advance,
Ilia
推荐答案
SQL 注入攻击发生在用户输入编码不正确时.通常,用户输入是用户随查询发送的一些数据,即 $_GET、$_POST、$_COOKIE、$_REQUEST 或 $_SERVER 数组.但是,用户输入也可以来自各种其他来源,例如套接字、远程网站、文件等.因此,您应该真正处理除常量之外的所有内容(例如 'foobar') 作为用户输入.
SQL injection attacks happen when user input is improperly encoded. Typically, the user input is some data the user sends with her query, i.e. values in the $_GET, $_POST, $_COOKIE, $_REQUEST, or $_SERVER arrays. However, user input can also come from a variety of other sources, like sockets, remote websites, files, etc.. Therefore, you should really treat everything but constants (like 'foobar') as user input.
在您发布的代码中,mysql_real_escape_string 用于编码(=转义)用户输入.因此代码是正确的,即不允许任何 SQL 注入攻击.
In the code you posted, mysql_real_escape_string is used to encode(=escape) user inputs. The code is therefore correct, i.e. does not allow any SQL injection attacks.
请注意,很容易忘记对mysql_real_escape_string 的调用 - 对于熟练的攻击者来说,一次就足够了!因此,您可能希望使用现代 PDO 和 准备语句 而不是 adodb.
Note that it's very easy to forget the call to mysql_real_escape_string - and one time is enough for a skilled attacker! Therefore, you may want to use the modern PDO with prepared statements instead of adodb.
这篇关于ADOdb 中的 SQL 注入和一般网站安全的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
