通过添加第二个查询,实际上是否可以进行SQL注入? [英] Is an SQL injection actually possible by adding a second query?
问题描述
关于SO的SQL注入有很多警告,但是我没有发现一个真的答案,它是怎么发生的?在这个问题中,我假设它是MySQL和PHP.
There's a lot of warnings about SQL injections here on SO, but no one I've found doesn't really answer, how does it happen? In this question, I'm assuming it's MySQL and PHP.
基本的 mysql _ 在查询内部不接受第二个查询,对吗?
The basic mysql_ doesn't accept a second query inside a query, right?
所以,基本上,这
$unsafe = "');DROP TABLE table;--";
mysqli_query($con,"INSERT INTO table (Column) VALUES ('$unsafe'");
实际上没有任何有害作用吗?纠正我.
doesn't actually do anything harmful? Correct me on this.
我没有使用 mysqli _ 的经验,因此我将跳到PDO和"Prepared statement".
I've no experience working with mysqli_, so I'll skip to PDO, and "Prepared statements".
当我开始使用PDO时,我缺乏有关它的信息,并且基本上以这种方式使用它,以为它很安全.
When I started working with PDO, I had a lack of information on it, and basically used it like this, thinking it's safe.
$stm = $pdo->prepare("INSERT INTO table (Column) VALUES ('$unsafe');
$stm->execute();
但是,PDO与 mysql _ 一样.它不支持开箱即用的多个查询,对吗?再次,请对此进行纠正.
However, same thing with PDO as with mysql_. It doesn't support multiple queries out of the box, right? Again, correct me on this.
那么,如果我没记错的话,这是安全的吗?
Then, this is consired safe, if I'm not wrong?
$stm = $pdo->prepare("INSERT INTO table (Column) VALUES (?);
$stm->execute(array($unsafe);
无法访问数据库的恶意用户如何注入恶意数据,甚至不支持多个查询?
How does a malicious user with no access to the database inject malicious data, if multiple queries aren't even supported?
还是他们?
推荐答案
使用mysql + php进行两次查询是谬论
由于没有 rel ="nofollow noreferrer">普通查询功能将仅执行 first 查询.
This will not work with mysql and php without deliberate steps to make it possible, since the normal query function will only execute the first query.
这并不意味着不可能-只是应该非常很明显.
That doesn't mean it's not possible - only that it should be very obvious when it is.
但是以上内容对于sql注入几乎没有任何意义.关于有关堆栈溢出的大量问题.以问题中的示例为例,这是等效的攻击,将起作用:
But the above means almost nothing in terms of sql injection. There is a huge, huge amount of information out there about sql injection including a large number of questions here on stack overflow. Taking the example in the question, this is an equivalent attack which would work:
$id = "123 OR 1 = 1 --";
mysqli_query($con,"DELETE FROM table WHERE id = $id LIMIT 1");
即找到一个接口以删除我自己的注释,例如,如果ID未转义,则删除所有注释将是微不足道的.但是这个例子只是冰山一角.
i.e. finding an interface to delete my own, e.g., comment, if the id is not escaped it would be trivial to delete all comments. But this example is just the very tip of an iceberg.
问题中的这段代码:
$stm = $pdo->prepare("INSERT INTO table (Column) VALUES ('$unsafe')");
$stm->execute();
使用PDO没有任何好处-也就是说,任何可以与mysql/mysqli驱动程序(天真使用)一起使用的(真正大量的)漏洞利用程序都可以与以这种方式使用的pdo一起使用.
Has none of the benefits of using PDO - i.e. any exploit (of the truly massive number) that would work with the mysql/mysqli driver (used naively) will work with pdo used in this way.
使用带有准备好的语句的PDO 带有参数的适当地转义值以防止sql注入攻击,因此可以安全地注入:
Using PDO with prepared statements with parameters escapes values appropriately preventing sql injection attacks, so yes this is safe from injection:
$stm = $pdo->prepare("INSERT INTO table (Column) VALUES (?)");
$stm->execute(array($unsafe));
无法访问数据库的恶意用户如何注入恶意数据
只需找到一种执行sql的方法,该方法要么执行他们想要做的事,要么为他们提供信息以不同的方式来做.
How does a malicious user with no access to the database inject malicious data
Simply by finding a way to execute sql that either does what they want to do, or gives them the information to do it a different way.
例如:
function login() {
$username = "irrelevant' OR is_admin = 1 --";
$password = hash('irrelevant');
$query = "SELECT id from users where username = '$username' AND password = '$password'";
...
}
恶意用户如何在不关心注入的情况下访问系统上的管理功能?非常容易.
How did malicious user get access to the admin functionality on a system with no concern for injection? Very easily.
有关注射的一般信息,请参阅前面的参考文献.
For general information about injection see the previous references.
这篇关于通过添加第二个查询,实际上是否可以进行SQL注入?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
