sql -注射-这(oneliner)安全吗?

时间:2021-08-17 13:02:37

PHP:

PHP:

$SQL = "SELECT goodies FROM stash WHERE secret='" .  
    str_replace("'",'',$_POST['secret']) .  
"'";  

Could an evil genius hacker inject SQL into my SELECT - How ?

一个邪恶的天才黑客会把SQL注入到我的选择中吗?

4 个解决方案

#1


6  

I've had a think about this for a while and I can't see any way to inject SQL into this statement.

我已经思考了一段时间,我看不到任何将SQL注入到这个语句中的方法。

An SQL string that starts with a single quotes terminates at the next single quote unless it is escaped with a backslash or another quote (\' or ''). Since you are removing all single quotes there cannot be a doubled quote. If you escape the closing quote you will get an error, but no SQL injection.

以单引号开头的SQL字符串会在下一个单引号结束,除非用反斜杠或其他引号(\' or ')来转义。因为你删除了所有单引号,所以不能有双引号。如果您脱离了结束引号,您将得到一个错误,但是没有SQL注入。

However this method has a number of drawbacks:

然而,这种方法有许多缺点:

  • Single quotes in the input are ignored.
  • 输入中的单引号将被忽略。
  • Backslashes in the input aren't handled correctly - they will be treated as escape codes.
  • 输入的反斜杠不能正确处理——它们将被当作转义代码处理。
  • You get an error if the last character is a backslash.
  • 如果最后一个字符是反斜杠,就会出现错误。
  • If you later extend the query to add a second parameter, it would allow an SQL injection attack.
  • 如果稍后扩展查询以添加第二个参数,将允许SQL注入攻击。

For example:

例如:

$SQL = "SELECT goodies FROM stash WHERE secret='" .  
    str_replace("'",'',$_POST['secret']) .  
"' AND secret2 = '" .
    str_replace("'",'',$_POST['secret2']) .  
"'";  

When called with parameters \ and OR 1 = 1 -- would result in:

当使用参数\和OR 1 = 1调用时,将导致:

SELECT goodies FROM stash WHERE secret='\' AND secret2=' OR 1 = 1 -- '

Which MySQL would see as something like this:

MySQL会像这样:

SELECT goodies FROM stash WHERE secret='...' OR 1 = 1

Even if it's impossible to cause an injection in this case the drawbacks make this unsuitable for a general purpose way to avoid SQL injection.

即使在这种情况下不可能导致注入,缺点也使它不适合通用的方法来避免SQL注入。

The solution, as already pointed out, is to use a prepared statement. This is the most reliable way to prevent SQL injection attacks.

如前所述,解决方案是使用一个准备好的语句。这是防止SQL注入攻击的最可靠方法。

#2


14  

Why won't you use mysql_real_escape_string() or even better - prepared statements? Your solution seems silly.

为什么不使用mysql_real_escape_string()或更好的准备语句呢?你的解决方案似乎是愚蠢的。

#3


0  

May be. The best way is:

可能是。最好的方法是:

$query = sprintf("SELECT goodies FROM stash WHERE secret='%s'",
addcslashes(mysql_real_escape_string($_POST['secret']),'%_'));

#4


-1  

Why just don't use mysql_escape_string? And yes, he could, adding " instead of ' and plus, this query will give you an error, I guess.

为什么不用mysql_escape_string呢?是的,他可以,加上“而不是”加上,这个查询会给你一个错误,我想。

#1


6  

I've had a think about this for a while and I can't see any way to inject SQL into this statement.

我已经思考了一段时间,我看不到任何将SQL注入到这个语句中的方法。

An SQL string that starts with a single quotes terminates at the next single quote unless it is escaped with a backslash or another quote (\' or ''). Since you are removing all single quotes there cannot be a doubled quote. If you escape the closing quote you will get an error, but no SQL injection.

以单引号开头的SQL字符串会在下一个单引号结束,除非用反斜杠或其他引号(\' or ')来转义。因为你删除了所有单引号,所以不能有双引号。如果您脱离了结束引号,您将得到一个错误,但是没有SQL注入。

However this method has a number of drawbacks:

然而,这种方法有许多缺点:

  • Single quotes in the input are ignored.
  • 输入中的单引号将被忽略。
  • Backslashes in the input aren't handled correctly - they will be treated as escape codes.
  • 输入的反斜杠不能正确处理——它们将被当作转义代码处理。
  • You get an error if the last character is a backslash.
  • 如果最后一个字符是反斜杠,就会出现错误。
  • If you later extend the query to add a second parameter, it would allow an SQL injection attack.
  • 如果稍后扩展查询以添加第二个参数,将允许SQL注入攻击。

For example:

例如:

$SQL = "SELECT goodies FROM stash WHERE secret='" .  
    str_replace("'",'',$_POST['secret']) .  
"' AND secret2 = '" .
    str_replace("'",'',$_POST['secret2']) .  
"'";  

When called with parameters \ and OR 1 = 1 -- would result in:

当使用参数\和OR 1 = 1调用时,将导致:

SELECT goodies FROM stash WHERE secret='\' AND secret2=' OR 1 = 1 -- '

Which MySQL would see as something like this:

MySQL会像这样:

SELECT goodies FROM stash WHERE secret='...' OR 1 = 1

Even if it's impossible to cause an injection in this case the drawbacks make this unsuitable for a general purpose way to avoid SQL injection.

即使在这种情况下不可能导致注入,缺点也使它不适合通用的方法来避免SQL注入。

The solution, as already pointed out, is to use a prepared statement. This is the most reliable way to prevent SQL injection attacks.

如前所述,解决方案是使用一个准备好的语句。这是防止SQL注入攻击的最可靠方法。

#2


14  

Why won't you use mysql_real_escape_string() or even better - prepared statements? Your solution seems silly.

为什么不使用mysql_real_escape_string()或更好的准备语句呢?你的解决方案似乎是愚蠢的。

#3


0  

May be. The best way is:

可能是。最好的方法是:

$query = sprintf("SELECT goodies FROM stash WHERE secret='%s'",
addcslashes(mysql_real_escape_string($_POST['secret']),'%_'));

#4


-1  

Why just don't use mysql_escape_string? And yes, he could, adding " instead of ' and plus, this query will give you an error, I guess.

为什么不用mysql_escape_string呢?是的,他可以,加上“而不是”加上,这个查询会给你一个错误,我想。