So I know the basics of a SQL injection attack, with entries that are not sanitized. So
所以我知道SQL注入攻击的基础知识,其中的条目没有被清理。所以
SELECT id FROM users WHERE username='$username' ANDpassword='$password'
(Note that $password is hashed) would be defeated with $username=x' or 1=1; --
(注意$ password被哈希)将被$ username = x'或1 = 1击败; -
A friend said that if you throw a \n character into your source code, then you can't comment the rest of the query out. So if you have
一位朋友说,如果你在你的源代码中输入一个\ n字符,那么你就无法对其余的查询进行评论。所以,如果你有
Select id\nfrom users\nwhere username='$username'\nand password='$password'
in php, and then submit it to the query, then even if they tried to comment out the username, it would error because the and password='$password' would still try and be executed.
在PHP中,然后将其提交给查询,然后即使他们试图注释掉用户名,也会出错,因为和密码='$ password'仍会尝试并执行。
I tried it, and he seems to be correct. So, my question is, while you should still sanitize your database inputs, does this prevent an attack like this, or is there a way to bypass it still?
我试过了,他似乎是正确的。所以,我的问题是,虽然你仍然应该清理你的数据库输入,这是否可以防止像这样的攻击,还是有办法绕过它?
I don't know if it matters, but I'm talking specifically about mysql here.
我不知道它是否重要,但我在这里专门讨论mysql。
1 个解决方案
#1
2
I toyed around a bit with this, but I don't see this method of using newlines helping at all. Maybe there's some differences between different versions of mysql clients, but running PHP with MySQL-ND adding the newlines doesn't seem to help against sending the username x' OR 1=1 OR ', this doesn't rely on the -- commenting at all, which effectively defeats the whole purpose of the newline.
我玩弄了一下这个,但我没有看到这种使用换行符的方法。也许不同版本的mysql客户端之间存在一些差异,但运行PHP与MySQL-ND添加新行似乎没有帮助反对发送用户名x'OR 1 = 1 OR',这不依赖于 - 评论完全有效地击败了新线的整个目的。
There may be easier and other ways around it as well, but it seems quite easily defeated at least. I would never trust a "clever solution" like this.
围绕它可能有更容易和其他方式,但它似乎很容易被打败至少。我永远不会相信像这样的“聪明的解决方案”。
#1
2
I toyed around a bit with this, but I don't see this method of using newlines helping at all. Maybe there's some differences between different versions of mysql clients, but running PHP with MySQL-ND adding the newlines doesn't seem to help against sending the username x' OR 1=1 OR ', this doesn't rely on the -- commenting at all, which effectively defeats the whole purpose of the newline.
我玩弄了一下这个,但我没有看到这种使用换行符的方法。也许不同版本的mysql客户端之间存在一些差异,但运行PHP与MySQL-ND添加新行似乎没有帮助反对发送用户名x'OR 1 = 1 OR',这不依赖于 - 评论完全有效地击败了新线的整个目的。
There may be easier and other ways around it as well, but it seems quite easily defeated at least. I would never trust a "clever solution" like this.
围绕它可能有更容易和其他方式,但它似乎很容易被打败至少。我永远不会相信像这样的“聪明的解决方案”。