PHP:
PHP:
$SQL = "SELECT goodies FROM stash WHERE secret='" . str_replace("'",'',$_POST['secret']) . "'";
Could an evil genius hacker inject SQL into my SELECT - How ?
一个邪恶的天才黑客会把SQL注入到我的选择中吗?
4 个解决方案
#1
6
I've had a think about this for a while and I can't see any way to inject SQL into this statement.
我已经思考了一段时间,我看不到任何将SQL注入到这个语句中的方法。
An SQL string that starts with a single quotes terminates at the next single quote unless it is escaped with a backslash or another quote (\'
or ''
). Since you are removing all single quotes there cannot be a doubled quote. If you escape the closing quote you will get an error, but no SQL injection.
以单引号开头的SQL字符串会在下一个单引号结束,除非用反斜杠或其他引号(\' or ')来转义。因为你删除了所有单引号,所以不能有双引号。如果您脱离了结束引号,您将得到一个错误,但是没有SQL注入。
However this method has a number of drawbacks:
然而,这种方法有许多缺点:
- Single quotes in the input are ignored.
- 输入中的单引号将被忽略。
- Backslashes in the input aren't handled correctly - they will be treated as escape codes.
- 输入的反斜杠不能正确处理——它们将被当作转义代码处理。
- You get an error if the last character is a backslash.
- 如果最后一个字符是反斜杠,就会出现错误。
- If you later extend the query to add a second parameter, it would allow an SQL injection attack.
- 如果稍后扩展查询以添加第二个参数,将允许SQL注入攻击。
For example:
例如:
$SQL = "SELECT goodies FROM stash WHERE secret='" .
str_replace("'",'',$_POST['secret']) .
"' AND secret2 = '" .
str_replace("'",'',$_POST['secret2']) .
"'";
When called with parameters \
and OR 1 = 1 --
would result in:
当使用参数\和OR 1 = 1调用时,将导致:
SELECT goodies FROM stash WHERE secret='\' AND secret2=' OR 1 = 1 -- '
Which MySQL would see as something like this:
MySQL会像这样:
SELECT goodies FROM stash WHERE secret='...' OR 1 = 1
Even if it's impossible to cause an injection in this case the drawbacks make this unsuitable for a general purpose way to avoid SQL injection.
即使在这种情况下不可能导致注入,缺点也使它不适合通用的方法来避免SQL注入。
The solution, as already pointed out, is to use a prepared statement. This is the most reliable way to prevent SQL injection attacks.
如前所述,解决方案是使用一个准备好的语句。这是防止SQL注入攻击的最可靠方法。
#2
14
Why won't you use mysql_real_escape_string() or even better - prepared statements? Your solution seems silly.
为什么不使用mysql_real_escape_string()或更好的准备语句呢?你的解决方案似乎是愚蠢的。
#3
0
May be. The best way is:
可能是。最好的方法是:
$query = sprintf("SELECT goodies FROM stash WHERE secret='%s'",
addcslashes(mysql_real_escape_string($_POST['secret']),'%_'));
#4
-1
Why just don't use mysql_escape_string
? And yes, he could, adding "
instead of '
and plus, this query will give you an error, I guess.
为什么不用mysql_escape_string呢?是的,他可以,加上“而不是”加上,这个查询会给你一个错误,我想。
#1
6
I've had a think about this for a while and I can't see any way to inject SQL into this statement.
我已经思考了一段时间,我看不到任何将SQL注入到这个语句中的方法。
An SQL string that starts with a single quotes terminates at the next single quote unless it is escaped with a backslash or another quote (\'
or ''
). Since you are removing all single quotes there cannot be a doubled quote. If you escape the closing quote you will get an error, but no SQL injection.
以单引号开头的SQL字符串会在下一个单引号结束,除非用反斜杠或其他引号(\' or ')来转义。因为你删除了所有单引号,所以不能有双引号。如果您脱离了结束引号,您将得到一个错误,但是没有SQL注入。
However this method has a number of drawbacks:
然而,这种方法有许多缺点:
- Single quotes in the input are ignored.
- 输入中的单引号将被忽略。
- Backslashes in the input aren't handled correctly - they will be treated as escape codes.
- 输入的反斜杠不能正确处理——它们将被当作转义代码处理。
- You get an error if the last character is a backslash.
- 如果最后一个字符是反斜杠,就会出现错误。
- If you later extend the query to add a second parameter, it would allow an SQL injection attack.
- 如果稍后扩展查询以添加第二个参数,将允许SQL注入攻击。
For example:
例如:
$SQL = "SELECT goodies FROM stash WHERE secret='" .
str_replace("'",'',$_POST['secret']) .
"' AND secret2 = '" .
str_replace("'",'',$_POST['secret2']) .
"'";
When called with parameters \
and OR 1 = 1 --
would result in:
当使用参数\和OR 1 = 1调用时,将导致:
SELECT goodies FROM stash WHERE secret='\' AND secret2=' OR 1 = 1 -- '
Which MySQL would see as something like this:
MySQL会像这样:
SELECT goodies FROM stash WHERE secret='...' OR 1 = 1
Even if it's impossible to cause an injection in this case the drawbacks make this unsuitable for a general purpose way to avoid SQL injection.
即使在这种情况下不可能导致注入,缺点也使它不适合通用的方法来避免SQL注入。
The solution, as already pointed out, is to use a prepared statement. This is the most reliable way to prevent SQL injection attacks.
如前所述,解决方案是使用一个准备好的语句。这是防止SQL注入攻击的最可靠方法。
#2
14
Why won't you use mysql_real_escape_string() or even better - prepared statements? Your solution seems silly.
为什么不使用mysql_real_escape_string()或更好的准备语句呢?你的解决方案似乎是愚蠢的。
#3
0
May be. The best way is:
可能是。最好的方法是:
$query = sprintf("SELECT goodies FROM stash WHERE secret='%s'",
addcslashes(mysql_real_escape_string($_POST['secret']),'%_'));
#4
-1
Why just don't use mysql_escape_string
? And yes, he could, adding "
instead of '
and plus, this query will give you an error, I guess.
为什么不用mysql_escape_string呢?是的,他可以,加上“而不是”加上,这个查询会给你一个错误,我想。