黑客站点 - SQL注入 [英] Hacker Site - SQL Injection

问题描述

过了一段时间我现在有一个文件上传到我的网站覆盖索引，该文件吹嘘这些黑客惊人的技能来破坏我的网站。从来没有弄清楚他们是如何做到的，但我发现我的网站在这个网站上列出：

< link removed> （请注意，这是指向某种黑客网站的链接，链接可能不安全我不知道所以只是让你知道。


无论如何，该网站是另一种语言，但我注意到它说Somthing：SQL Injection，在导航回本网站的主页后，我找到了表格（上面链接中的表格，我真的不想亲自测试）。我假设人们只是进入他们想要的任何网站，它利用某种常见的弱点或某些东西，但就像我说我不知道​​，因为它在我的网站旁边列出了SQL注入我会假设。我在每页的顶部都有针对SQL注入的以下内容：


[PHP]

if（！get_magic_quotes_gpc（））< br $>
{

$ _GET = array_map（''mysql_real_escape_string''，$ _GET）;

$ _POST = array_map（''mysql_real_escape_string''，$ _POST）;

$ _COOKIE = array_map（''mysql_real_escape_string''，$ _COOKIE）;

}

else

{

$ _GET = array_map（''stripslashes''，$ _GET）;

$ _POST = array_map（''stripslashes''，$ _POST）;

$ _COOKIE = array_map（''stripslashes''，$ _COOKIE）;

$ _GET = array_map（''mysql_real_escape_string''，$ _GET）;

$ _POST = array_map（''mysql_real_escape_string''，$ _POST）;

$ _COOKIE = array_map（''mysql_real_escape_string''，$ _COOKIE）;

}

[/ PHP]


这还不够，还有什么我应该做的？有人能够给我一行文字进入我的网站上的表格（我认为它只是像mysql_query（INSERT ........）这样的东西，显然只有一些东西不会造成太大的伤害）所以我可以看到哪些弱点。


感谢您对此提出任何建议/意见，只是试图深入了解所以不要发生这种情况再次。

Quite a while back now I had a file uploaded to my site overwriting the index, which boasted of this hackers amazing skills in defacing my site. Never did figure out how they did it, however I found my website listed on this site:

<link removed> (Note thats the link to some sort of hacker site, the link may not be safe I don''t know so just letting you know).

Anyway, the site is in another language but I noticed it said Somthing: SQL Injection, and after navigating back to the main page of this site I found the form (the one in the link above, don''t really want to test it myself). I assume people just enter in whatever site they want and it exploits some sort of common weakness or somthing, but like I said I don''t know and since it had SQL Injection listed next to my site I''m going to assume that. I''ve got the following in place for SQL Injection at the top of every page:

[PHP]
if(!get_magic_quotes_gpc())
{
$_GET = array_map(''mysql_real_escape_string'', $_GET);
$_POST = array_map(''mysql_real_escape_string'', $_POST);
$_COOKIE = array_map(''mysql_real_escape_string'', $_COOKIE);
}
else
{
$_GET = array_map(''stripslashes'', $_GET);
$_POST = array_map(''stripslashes'', $_POST);
$_COOKIE = array_map(''stripslashes'', $_COOKIE);
$_GET = array_map(''mysql_real_escape_string'', $_GET);
$_POST = array_map(''mysql_real_escape_string'', $_POST);
$_COOKIE = array_map(''mysql_real_escape_string'', $_COOKIE);
}
[/PHP]

Is this not enough, what else should I be doing? would someone be able to give me a line of text to enter into forms on my site (I assume it''s just somthing like " mysql_query("INSERT........") obviously only somthing that wont do much damage) so I can see where weaknesses are.

Thanks for any advice / opinions on this, just trying to get to the bottom of this so it dosn''t happen again.

推荐答案

_GET = array_map（''mysql_real_escape_string''，

_GET = array_map(''mysql_real_escape_string'',

_GET）;

_GET);

_POST = array_map（''mysql_real_escape_string''，

_POST = array_map(''mysql_real_escape_string'',

这篇关于黑客站点 - SQL注入的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！