您可以"SQL注入"吗? PHP变量比较? [英] Can you "SQL Inject" a PHP Variable Comparison?
问题描述
因此,在当前项目上工作时,我一直想知道的是,当用户输入一个变量时,简单的变量比较是否有遭受"SQL Injection"类型攻击的危险.
So something that I have been wondering about while working on a current project is if a simple variable comparison is in danger of "SQL Injection" type attacks when one of the variables is user entered.
我的基本登录功能通过采用用户提供的用户名并使用准备好的语句在配置文件表中进行查找来起作用.如果找到记录,则从记录中检索profileID,并用于在另一个权限表中查找用户的密码.如果该查询成功,则用户提供的密码相对于从数据库中检索到的密码为===.
My basic login functionality works by taking the user provided username and using a prepared statement to look it up in the profiles table. If a record is found, the profileID is then retrieved from the record and used to look up the user's password in another permissions table. If THAT query is successful then the user provided password is === against the retrieved password from the database.
所以我的问题是,最后一步会带来风险吗?我尝试过自己尝试通过像a' == 'a' || 'a这样的值对它进行黑客攻击,以试图错误地触发$pass === $checkPermRow['pass'],但它似乎无能为力.我安全吗?
So my question is, does that last step pose a risk? I have tried 'hacking it myself putting through values like a' == 'a' || 'a in an attempt to falsely trigger the $pass === $checkPermRow['pass'] but it doesn't seem to do anything. Am I safe?
推荐答案
如果使用预处理语句并将输入作为参数传递给预处理语句,则可以避免SQL注入.应该正确处理参数,并且不可能将传递的参数的片段解释为SQL代码而不是数据.这就是参数化的确切要点,即例如,代码和数据参数的分离.
If you use prepared statements and pass the input as parameters to the prepared statement, you’re safe from SQL injections. The parameters should be handled properly and it should not be possible that fragments of the passed parameters are interpreted as SQL code instead of data. That’s the exact point of parameterization, i. e., the separation of code and data parameters.
因此,应该不可能向查询中注入任何内容.但是,您不应使用适当的哈希函数将密码以纯文本形式存储为哈希,并且不能以不可逆的形式存储.
So it should not be possible to inject anything into the query. However, you should not store the passwords in plaintext but in a irreversible form as a hash using an appropriate hash function.
关于您的问题,是否还可以在PHP本身中进行注入:是的,代码注入可以发生在动态生成的任何代码中,甚至在PHP中也是如此.
As for your question whether an injection is also possible in PHP itself: Yes, code injection can happen in any code that gets generated dynamically, so even in PHP.
但是,您不仅需要动态生成代码,还需要执行它. PHP具有一些执行PHP的功能),例如例如 eval函数.但是,您可能不会使用这样的构造:
However, you would need not just to generate the code dynamically but also execute it. PHP has some functions that execute PHP), e. g., the eval function. However, you would probably not use constructs like this:
if (eval("return '$pass' === '$checkPermRow[pass]';"))
这很容易受到 PHP代码注入的影响,而a' == 'a' || 'a会导致类似以下情况:
This would be vulnerable to PHP code injection and a a' == 'a' || 'a would result in something like:
return 'a' == 'a' || 'a' === 'password from database';
这篇关于您可以"SQL注入"吗? PHP变量比较?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
