尽管使用了PHP魔术引号，但仍成功进行了SQL注入 [英] Successful SQL Injection despite PHP Magic Quotes

问题描述

我一直读到魔术引号根本不能停止SQL注入，但是我不明白为什么不这样做！例如，假设我们有以下查询:

SELECT * FROM tablename
  WHERE email='$x';

现在，如果用户输入为$x=' OR 1=1 --，则查询为:

SELECT * FROM tablename
  WHERE email='\' OR 1=1 --';

Magic Quotes将添加反斜杠，而不会造成任何损害！

有没有办法我看不到用户可以在此处绕过魔术引号插入的地方?

解决方案

技巧通常是传递一个二进制值，以使反斜杠成为有效的多字节字符的一部分.这是有关它的博客文章. /p>

I have always read that Magic Quotes do not stop SQL Injections at all but I am not able to understand why not! As an example, let's say we have the following query:

SELECT * FROM tablename
  WHERE email='$x';

Now, if the user input makes $x=' OR 1=1 --, the query would be:

SELECT * FROM tablename
  WHERE email='\' OR 1=1 --';

The backslash will be added by Magic Quotes with no damage done whatsoever!

Is there a way that I am not seeing where the user can bypass the Magic Quote insertions here?

解决方案

The trick is usually to pass a binary value so that the backslash would become a part of valid multibyte character. Here is a blog post about it.

这篇关于尽管使用了PHP魔术引号，但仍成功进行了SQL注入的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！