仅使用str_replace的SQL注入保护 [英] Sql Injection protection with only str_replace

问题描述

我正在研究SQL注入，并在我的PHP代码中尝试了以下查询:

I'm studying SQL injection and tried in my PHP code this query:

$condition = str_replace(["'","\\"],["\\'","\\\\"], @$_GET['q']);
$query = "SELECT * FROM dummy_table WHERE dummy_column = '$condition'";

数据库和表的字符集设置为UTF8.

DB and tables charset is set to UTF8.

我什么也不能注射，有人可以帮我吗?

I can't inject anything, can someone help me please?

正如GarethD所指出的那样，这将首先转义'，然后是\，从而允许注入，这个str_replace呢?

As pointed out by GarethD this would escape first ' and than \, allowing injection, what about this str_replace?

$condition = str_replace(["\\","'"],["\\\\","\\'"], @$_GET['q']);

推荐答案

这个孤立的示例不可注入.

This isolated example is invulnerable to injection.

但是您必须意识到防止SQL注入不仅仅是字符替换.而且情况可能与您目前认为理所当然的情况有所不同.因此，由于此方法的主要缺点，从长远来看，您的代码将变得容易受攻击.:

But you have to realize that protection from sql injection is not just a character replace. And circumstances may differ from ones you are taking at the moment for granted. So, your code would become vulnerable on the long run, due to essential drawbacks of this method:

• 字符替换只是所需格式的一部分
• 这种特殊的替换只能应用于弦乐，而其他部分则绝对不受保护.
• 这种替换是查询执行的外部条件，这意味着它很容易出现任何人为错误.
• 这样的替换实际上是一种可分离的措施，这意味着它可能与实际的查询执行相距太远，最终被遗忘了.
• 这种转义容易受到编码攻击，也使解决方案成为可能使用受到限制.

• character replace is only a part of required formatting
• this particular replacement can be applied to strings only, leaving other parts absolutely unprotected.
• such a replace is external to a query execution, means it is prone to a human error of any sort.
• such a replace is an essentially detachable measure, means it can be moved too far away from the actual query execution and eventually forgotten.
• this kind of escaping is prone to encoding attack, making solution too limited in use.

字符替换本身没有任何问题，但前提是必须将其用作完整格式的一部分.适用于正确的查询部分；由数据库驱动程序而不是程序员完成；在执行之前.

There is nothing wrong in character replacement per se, but only if it is used as a part of complete formatting; applied to the right query part; and done by a database driver, not a programmer; right before execution.

您在注释中提出的功能是一个不错的步骤，但仍然不够，因为它是上面列出的缺点的主体，因此很容易出现各种人为错误.

Functions you proposed in the comments are a good step, but still insufficient, being subjects of the drawbacks listed above, making them prone to all sorts of human errors.

SQL注入并不是这种方法的唯一问题，它也是一个可用性错误，因为如果用作

And SQL injection is not the only problem with this approach, it is a usability fault as well, as this function would either spoil your data, if used as an incarnation of late magic quotes, or make your code bloated, if used to format every variable right in the application code.

此类函数只能用于处理占位符，但当然不能通过使用自制的替换函数来实现，而是通过数据库API提供的适当函数来实现.

Such functions can be used only to process a placeholder, but of course not by means of using a homebrewed replace function, but a proper function provided by database API.

这篇关于仅使用str_replace的SQL注入保护的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！