PHP的addlashes是否容易受到sql注入攻击? [英] Is PHP's addslashes vulnerable to sql injection attack?

问题描述

可能重复:
mysql_real_escape_string()做什么而addslashes()不会做什么? t?

Possible Duplicate:
What does mysql_real_escape_string() do that addslashes() doesn't?

我一直在评论有关PHP的addslashes函数如何/为什么容易受到sql注入攻击的文章.我读过的所有内容都说特定的mysql编码类型存在问题(默认字符集= GBK)，或者如果启用了magic_quotes则存在问题.但是，在这种情况下，我一直无法突破adslashes()函数，并且做了一些恶意的事情-例如以管理员身份登录.

I have been reviewing articles on how/why PHP's addslashes function is vulnerable to sql injection. Everything I have read says there are problems with specific mysql encoding types (default-character-set=GBK), or there are problems if magic_quotes are enabled. However, I have been unable break out of the addslashes() function in this scenario and do something malicious - such as login as an administrator.

    $user = addslashes($_POST['user']);
    $pass = sha1($_POST['pass']);
    $sql = "SELECT * FROM admins WHERE user = '".$user."' AND `pass` = '".$pass."'";

    $nums = mysql_num_rows(mysql_query($sql));

    if($nums==1){
    $_SESSION['admin_user'] = $user;
    $_SESSION['admin_pass'] = $pass;

这是针对客户端的(次要)安全审核，我建议他们使用PDO，但我需要显示其当前漏洞.

This is a (minor) security audit for a client and I will recommend that they utilize PDO, but I need to display their current vulnerability.

参考:

• http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string
• http://hakipedia.com/index.php/SQL_Injection# Addslashes.28.29_.26_magic_quotes_gpc

• http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string
• http://hakipedia.com/index.php/SQL_Injection#addslashes.28.29_.26_magic_quotes_gpc

推荐答案

Shiflett在他的博客条目中展示了完整的可利用漏洞.您上面显示的代码似乎没有遵循该示例，因为它未使用显示漏洞的字符集.不过，这个漏洞肯定存在.

Shiflett shows a full working exploit in his blog entry. The code you show above doesn't seem to be following that example as it's not using the character set that exhibits the vulnerability. Still, the hole definitely exists.

即使在特定情况下碰巧是安全的，使用addslashes()的做法仍然很危险，即使漏洞利用程序要求的环境非常深奥，Shiflett的文章也应为您提供足够的论据来论证.复制并非完全无关紧要.

Even if it happens to be safe in the specific scenario, the practice of using addslashes() is still dangerous and Shiflett's article should give you enough material to argue with, even though the circumstances the exploit requires are very esoteric, and they're not entirely trivial to reproduce.

如果您的客户没有在特定系统上看到实时漏洞利用程序就无法接受危险，那么他们就不值得对其进行安全审核.

If your client doesn't accept the danger without seeing a live exploit on their specific system, then they're not worth doing a security audit for.

这篇关于PHP的addlashes是否容易受到sql注入攻击?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！