我真的不懂mysql注入吗?它是什么? [英] I really do not understand mysql injection? What is it?

问题描述

我没有使用mysql或php的经验，我一直在提我的问题，但人们一直说您需要mysql注入保护，我查了一下，但我真的不明白.谁能帮我?我对mysql还是很陌生，对它有点麻烦

I am not experienced with mysql or php and i keep mentioning that in my questions but people keep saying you need mysql injection protection and I've looked it up and i really don't get it. Can anyone help me? I am so new to mysql and am having a bit of trouble with it

这是我的代码:

如何进行改进?当我右键单击该站点以查看源代码时，没有php/mysql出现.

How can it be improved? When i go to view my source code by right clicking on the site, none of the php/mysql appears.

<?php
$conn = mysql_connect("", "", "");
if (!$conn) {
  echo "Unable to connect to DB: " . mysql_error();
  exit;
}

$search = "%".$_POST["search"]."%";
$searchterm = "%".$_POST["searchterm"]."%";

if (!mysql_select_db("")) {
  echo "Unable to select mydbname: " . mysql_error();
  exit;
}

$sql = "SELECT name,lastname,email 
        FROM test_mysql
        WHERE name LIKE '%".$search."%' AND lastname LIKE '%".$searchterm."%'";
$result = mysql_query($sql);

if (!$result) {
  echo "Could not successfully run query ($sql) from DB: " . mysql_error();
  exit;
}

if(empty($_GET['search'])){ // or whatever your field's name is
  echo 'no results';
} else {
  performSearch(); // do what you're doing right now
}

if (mysql_num_rows($result) == 0) {
  echo "No rows found, nothing to print so am exiting";
  exit;
}
while ($row = mysql_fetch_assoc($result)) {
  echo '<br><br><div class="data1">';
  echo $row["name"];
  echo '</div><br><div class="data2">';
  echo $row["lastname"];
  echo '</div><br><div class="data3">';
  echo $row["email"];
  echo '</div>';
}
mysql_free_result($result);

?>

推荐答案

SQL注入是攻击的名称，但潜在的问题是输入验证不足.输入以下代码:

SQL injection is the name of the attack, but the underlying problem is insufficient input verification. Take the following code:

$search = $_POST['search'];
$sql = "SELECT name,lastname,email
FROM   test_mysql
WHERE  name LIKE '%".$search."%'";
$result = mysql_query($sql);

如果有人在搜索表单中输入O'Reilly会怎样?

What happens if someone enters O'Reilly in the search form?

好吧，查询最终被构造为:

Well, the query is eventually constructed as:

SELECT name, lastname, email FROM test_mysql
WHERE name LIKE '%O'Reilly%'

这不是有效的SQL查询，只会导致出现错误消息.因此，您的代码有错误；它不能处理包含'的输入.

This is not a valid SQL query, but will merely lead to an error message. Therefore, your code is buggy; it cannot handle inputs that contain '.

现在，让我们考虑一个恶意的人，马洛里.导致错误并不会以有害的方式帮助Mallory，除非他想强调读取所有错误日志的数据库管理员.他输入:%'; INSERT INTO test_mysql name,lastname,email VALUES('mal','ory','malory@evil.com');--.现在，完整的SQL查询是

Now, let's consider a malicious person, Mallory. Causing the error doesn't help Mallory in his evil ways, unless he wants to stress database administrators who read all the error logs. He inputs: %'; INSERT INTO test_mysql name,lastname,email VALUES('mal','ory','malory@evil.com');--. Now, the complete SQL query is

SELECT name, lastname, email FROM test_mysql
       WHERE name LIKE '%%';
INSERT INTO test_mysql name,lastname,email
       VALUES('mal','ory','malory@evil.com');
--%'

最后一行是注释，被忽略. Mallory现在可以将任意内容写入数据库！

The last line is a comment and ignored. Mallory can now write arbitrary things to the database!

请注意，这需要能够在一个MySQL中执行多个命令.如果未启用该功能，则Mallory必须求助于使用子查询和谓词.在某些情况下，Mallory应该无法查看整个表(例如，他应该只能在网上商店中查看自己的购买，而不能在其他客户那里查看).他只需输入' OR ''='即可查看查询的全部内容.

Note that this requires the ability to execute more than one command in one MySQL. If that feature is not enabled, Mallory has to resort to using subqueries and predicates. In some cases, Mallory should not be able to view the whole table (for example, he should only be able to view his purchases in a webshop, not other customers'). He can simply input ' OR ''=' to see the whole content of the query.

您可以通过转义值来保护自己，如下所示:

You can protect yourself by either escaping values, like this:

$search = $_POST['search'];
$sql = "SELECT name,lastname,email
FROM   test_mysql
WHERE  name LIKE '%". mysql_real_escape_string($search) ."%'";
$result = mysql_query($sql);

或者，使用PDO和准备好的语句:

$sql = "SELECT name,lastname,email
FROM   test_mysql
WHERE  name LIKE :search";
$statement = $pdo->execute($sql,
               array(':search' => '%' . $_POST['search'] . '%'));

这篇关于我真的不懂mysql注入吗?它是什么?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！