避免攻击SQL注入？ [英] Avoiding attack SQL injection ?

问题描述

您好。我想学习防止sql注入。如您所知，通过nuke可以获得的最佳保护是sql注入的工作原理。我有用PHP编写的代码我使用PDO来提高安全性。我已经阅读了许多与sql注入攻击相关的文章，但很少有关于PDO的文章，因此可以理解PDO更安全。我有一个代码，有时可以阻止我的攻击。所以简而言之，我希望将来成为一名安全专家。无论如何。也许您知道PDO上的攻击方法是什么？下面我将给你一个代码，正如我之前所说的相对抵抗攻击。在此先感谢您的帮助。



index.php

Hello. I would like to learn protection against sql injection. As you know, the best protection you can get through the nuke is how sql injection works. I have code written in PHP I used PDO for greater security. I have read many articles related to sql injection attacks but few articles are on PDO, so it can be understood that PDO is more secure. I have a code that at times prevented my attacks. So in a nutshell, in the future I would like to become a security expert. Anyway. Maybe you know what attack methods are on PDO? Below I will give you a code that as I said before is relatively resistant to attacks. Thanks in advance for your help.

index.php

<!DOCTYPE html>
<html>
<body>
    <form action="login.php" method="post">
            <input type="text" name="name" placeholder="Your name">
            <input type="text" name="email" placeholder="Your email">
        <input type="submit" name="sent" id="ref" value="Send">
    </form><

</div>
</body>
</html>

login.php

<?php
session_start();

    $dbname = 'test'; 
    $dbhost = 'localhost';
    $dbuser = 'root';
    $dbpass = '';

    try 
    {
        if((!isset($_POST['name'])) || (!isset($_POST['email'])))
        {
            header("Location: index.php");
            exit();
        }
            $PDO = new PDO('mysql:host='.$dbhost.';dbname='.$dbname,$dbuser,$dbpass);
            $userow = $PDO->prepare('SELECT * FROM `users` WHERE `user`="'.$_POST['name'].'" ');
            $userow->execute();

            $count = $userow->rowCount();
            if($count>0)
            {
                $row = $userow->fetch(PDO::FETCH_ASSOC);
                if($_POST['email'] === $row['pass'])
                {
                    $_SESSION['logged'] = true;
                    $_SESSION['nick'] = $row['user'];
                    $_SESSION['pass'] = $row['pass'];
                    header("Location: logged.php");
                }
                else
                {
                    echo "Wrong login or password!";
                }
        }
        else
        {
                echo "Wrong login or password!";
        }
    }
    catch(PDOException $error)
    {
        die('Error!:'.$error->getMessage());
    }
?>

logged.php

logged.php

<?php
	session_start();

	if (!isset($_SESSION['logged']))
	{
        header("Location: index.php");
		exit();
	} 
?>
<!DOCTYPE html>
<html>
<body>
    <a href="logout.php">Logout!</a>
	<?php

    $dbname = 'test'; 
    $dbhost = 'localhost'; 
    $dbuser = 'root'; 
    $dbpass = '';

    try 
    {     
            $PDO = new PDO('mysql:host='.$dbhost.';dbname='.$dbname,$dbuser,$dbpass);
            $userow = $PDO->prepare('SELECT * FROM `users` WHERE user`="'.$_SESSION['nick'].'" ');
            $userow->execute();

            $row = $userow->fetch(PDO::FETCH_ASSOC);

			echo $row['user'];
    
    }
    catch(PDOException $error)
    {
        die('Error!'.$error->getMessage());
    }
?>
</body>
</html>

我尝试了什么：



基本sql注入

-在文本框登录中添加撇号

- 在文本框密码中添加撇号或1 = 2

等。

What I have tried:

Basic sql injection
-Add an apostrophe to the textbox login
-Add an apostrophe to the textbox password OR 1=2
etc.

推荐答案

dbname = ' test';

dbname = 'test';

dbhost = ' 本地主机';

dbhost = 'localhost';

dbuser = ' 根;

dbuser = 'root';

这篇关于避免攻击SQL注入？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！