一种注入攻击,该攻击通过mysql_query成功,但由于mysqli_query而失败 [英] An injection attack that succeeds with mysql_query, but fails with mysqli_query
问题描述
更新:对此有一些启发性的响应,主要要点是不建议使用mysql函数,并且mysqli允许您使用准备好的语句.在我看来,这很有意义,而且很有帮助,尽管使用mysqli"既无建设性,也无济于事.
Update: There have been some illuminating responses to this, and the main points are that mysql functions are deprecated, and also that mysqli allows you to use prepared statements. That makes a lot of sense, and is helpful, while just "use mysqli" is neither constructive, nor helpful, in my opinion.
无论何时在SO上询问PHP和MySQL问题,并且OP都有使用mysql_query的代码,本能的社区反应就是评论说他们应该使用mysqli函数家族.
Anytime a PHP and MySQL question is asked on SO, and the OP has code which uses mysql_query, the instinctive community reaction is to comment that they should be using the mysqli family of functions instead.
请提供一个场景,如果我的代码使用mysql_query,恶意用户可能会发起成功的注入攻击,但是如果尝试相同的攻击,但是代码使用了mysqli功能,那就会很受挫.反而?像通常的情况一样,假定在一条语句中禁用了多个查询.
Can you please provide a scenario where a malicious user could launch a successful injection attack if my code is using mysql_query, but it would be the thwarted if the same attack was attempted, but the code used the mysqli functions instead? Assuming multiple queries in one statement is disabled, as is the typical case.
推荐答案
我一直被认为:
$selection = mysql_query($dblink, "SELECT * FROM table WHERE name='$idValue' ");
容易被$idValue的值所折衷,这些值会关闭'然后添加其他命令,例如
can be easily compromised with values for $idValue which close the ' and then add extra commands, such as
$idValue = "z'; DELETE * FROM table WHERE name IS NOT NULL";
虽然我知道您指出多个语句已被禁用,但并不是很可怕的事情是返回未经授权的数据,而不是直接在表中编辑数据,例如:
While I realise you state that multiple statements are disabled, something that is not as horrific would be to return unauthorised data rather than editing data in the table directly, such as:
$idValue = "z' OR name IS NOT NULL OR name = 'x";
在MySQLi中,存在可能性,该方法可以与prepared statements一起使用,这将防止变量仅作为变量在其状态之外发挥作用.如:
Whereas with MySQLi there is the possibility that the approach can be used with prepared statements, which would prevent the variable acting outside of its status as just a variable. Such as:
mysqli->prepare("SELECT * FROM tables WHERE name = ? LIMIT 1");
mysqli->bind_param("s",$idValue);
mysqli->execute();
我对bind_param的理解是,该变量将转义所有MySQL关键字和键字符,从而防止了安全漏洞和未授权行的返回.
My understanding of bind_param is that the variable would have all MySQL keywords and key characters escaped thus preventing the security breach and the return of unauthorised rows.
这是MySQL 没有 的选择.准备好的语句确实有助于提高注入安全性,但是它们并不能单独防止注入攻击,而是程序员应将其用作更广泛策略的一部分.
This is a choice that MySQL does not have. Prepared statements do help with improving injection security but they will not prevent injection attacks alone, but more should be used as part of a wider strategy by the programmer.
就像穿着防弹衣并不能使您立于不败之地,但它会大大提高您的生存机会. MySQLi不是万能的,PDO也不是,但是它们将整体上提高安全级别.
Just as wearing body armour will not make you invincible, but it will greatly improve your chances of survival. MySQLi is not a magic bullet, and nor is PDO, but they will improve the security levels overall.
MySQL也已过时,正如Christopher所说,不再维护它意味着漏洞和问题的数量只会随着其他技术的不断发展而增加.
MySQL is also deprecated and as stated by Christopher, being no longer maintained means that the number of holes and problems with it will only increase as other technologies continues to develop.
如果您以与编写MySQL语句相同的方式编写MySQL i 语句,那么您将不会受到注入的额外保护.但是,MySQLi提供了 Prepared Statements 方法,该方法可以显着提高对SQL注入的防御能力,但是底层数据库接口本身的更改不会给您带来任何固有的好处或保护,除非您选择使用准备好的语句自己编写这些代码.
If you write MySQLi statements in the same manner as you wrote MySQL statements, then you will have no additional protection from injections. However, MySQLi offers the Prepared Statements approach which does significantly increase the defence against SQL injection, but the change of underlying database interface in itself does not give you any inherent benefits or protections unless you choose to code these in yourself using prepared statements.
这篇关于一种注入攻击,该攻击通过mysql_query成功,但由于mysqli_query而失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
