SQL注入
例:脚本逻辑
$sql = “SELECT * FROM user WHERE userid = $_GET[userid] “;
案例1:SELECT * FROM t WHERE a LIKE ‘%xxx%’ OR (IF(NOW=SYSDATE(), SLEEP(5), 1)) OR b LIKE ‘1=1 ‘;
案例2:SELECT * FROM t WHERE a > 0 AND b IN(497 AND (SELECT * FROM (SELECT(SLEEP(20)))a) );
案例3:SELECT * FROM t WHERE a=1 and b in (1234 ,(SELECT (CASE WHEN (5=5) THEN SLEEP(5) ELSE 5*(SELECT 5 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END)) );
监控以下方法 SLEEP() — 一般的SQL盲注都会伴随SLEEP()函数出现,而且一般至少SLEEP 5秒以上 MID() CHAR() ORD() SYSDATE() SUBSTRING() DATABASES() SCHEMA() USER() VERSION() CURRENT_USER() LOAD_FILE() OUTFILE/DUMPFILE INFORMATION_SCHEMA TABLE_NAME fwrite()/fopen()/file_get_contents() — 这几个是PHP文件操作函数
应对方法:
1.mysql_escape_string() 转义特殊字符((PHP 4 >= 4.3.0, PHP 5))(mysql_real_escape_string必须先链接上数据库,否则会报错)
下列字符受影响: x00 //对应于ascii字符的NULL //换行符且回到下一行的最前端 //换行符 //转义符 ' " x1a //16进制数 如果成功,则该函数返回被转义的字符串。如果失败,则返回 false。
2.addslashes(): 函数返回在预定义字符之前添加反斜杠的字符串 (stripslashes()实现字符串还原)
预定义的字符有: 单引号(') 双引号(") 反斜杠() NULL
3.prepared statements(预处理机制)
<?php $mysqli = new mysqli("example.com", "user", "password", "database"); if ($mysqli->connect_errno) { echo "Failed to connect to MySQL: (" . $mysqli->connect_errno . ") " . $mysqli->connect_error; } /* Non-prepared statement */ if (!$mysqli->query("DROP TABLE IF EXISTS test") || !$mysqli->query("CREATE TABLE test(id INT)")) { echo "Table creation failed: (" . $mysqli->errno . ") " . $mysqli->error; } /* Prepared statement, stage 1: prepare */ if (!($stmt = $mysqli->prepare("INSERT INTO test(id) VALUES (?)"))) { echo "Prepare failed: (" . $mysqli->errno . ") " . $mysqli->error; } /* Prepared statement, stage 2: bind and execute */ $id = 1; if (!$stmt->bind_param("i", $id)) { echo "Binding parameters failed: (" . $stmt->errno . ") " . $stmt->error; } if (!$stmt->execute()) { echo "Execute failed: (" . $stmt->errno . ") " . $stmt->error; } ?>