htmlspecialchars是否足以防止对用单引号引起来的变量进行SQL注入? [英] Is htmlspecialchars enough to prevent an SQL injection on a variable enclosed in single quotes?

问题描述

尽管许多资料来源引用htmlspecialchars函数和ENT_QUOTES来表示不足不足以防止SQL注入，但没有一个提供了这一概念的证明.我自己想不到任何可能性.

Although many sources quote the htmlspecialchars function with ENT_QUOTES to be not enough to prevent SQL injection, none of them provide a proof of the concept. I cannot think of any possibility myself.

让我们考虑以下示例:

$username = htmlspecialchars($_GET['name'], ENT_QUOTES, 'UTF-8');
$sql = "SELECT * from user WHERE name='$username'";
mysql_query($sql,...);

除了推荐答案

htmlspecialchars无法编码关键字符\0(NUL字节)，\b(退格)以及字符.

The character that htmlspecialchars fails to encode the critical character \0 (NUL byte), \b (backspace), as well as the \ character.

为了利用这一点，您需要一个带有多个注入点的语句.这样，您可以转义一个字符串文字的结束定界符，从而将其扩展到下一个字符串文字的下一个起始定界符.然后可以将三个每个带有注入点的字符串文字转换为两个字符串文字.

In order to exploit this, you need a statement with multiple injection points. With this you can escape the closing delimiter of one string literal and thus expand it up to the next starting delimiter of the next string literal. Three string literals each with an injection point can then be transformed into two string literals.

例如:

SELECT * from user WHERE (name='$login' OR email='$login') AND password='$password'

现在具有以下值:

login:    ) OR 1=1 /*\
password: */--

结果语句如下:

SELECT * from user WHERE (name=') OR 1=1 /*\' OR email=') OR 1=1 /*\') AND password='*/--'

等同于:

SELECT * from user WHERE (name=') OR 1=1 /*\' OR email=') OR 1=1

这篇关于htmlspecialchars是否足以防止对用单引号引起来的变量进行SQL注入?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！