Home  >  Article  >  Backend Development  >  PHP anti-injection attack experience_PHP tutorial

PHP anti-injection attack experience_PHP tutorial

WBOY
WBOYOriginal
2016-07-13 17:08:56680browse

PHP anti-injection attack experience

1:

This topic is too cliché.
Set magic_quotes_gpc = On in PHP.INI
It can indeed prevent some injection attacks, but is it omnipotent?
We are now converting the variables received by POST or GET, converting the spaces, punctuation marks, and special characters into HTML encoding.
I will restore it during the demonstration. How did you do it? Share the code.

But it’s still useless. You can’t prevent union statements when your SQL is not written in a standardized way.
For example, select * from news where id=$Id, if the variable $Id is not enclosed in small quotation marks, and it is not determined whether the $Id is a numeric string, it will definitely be injected, even if magic_quotes_gpc = On.
The only way to completely prevent injection is to enclose the variables in small quotes within the SQL statement, and then
magic_quotes_gpc = On, then convert spaces, punctuation marks, and special characters into HTML encoding.
I think this will solve it once and for all. I don’t know if there are any fish that have slipped through the net. Please give me some advice. If the system we are developing now eliminates injection, then I can sleep well. Haha.

Generally, I use functions directly on each page to preliminarily filter _get, _post, _session and other data

Force checking of data type when writing to database~

Basically these are good for general injection effects

1 SQL statements are best formatted through sprintf, and then query
2 When doing login testing, it is best to use one value to get another value, and then compare it

Example:

Haha, that’s an example I gave. I summarized it carefully, it is very easy not to be injected.
The summary is as follows:
magic_quotes_gpc = On is turned on, and then the variable is enclosed in small quotation marks. If someone wants to inject it, they have to break through the quotation marks, so they have to add small quotation marks to the variable. Adding small quotation marks will be escaped by magic_quotes_gpc = On. Breaking through is small Quotes failed. You can't do bad things.
Another point is that there are two comment marks in MYSQL, # and /*. Through this, the following SQL language name can be commented out, and these two characters can be converted into ASC code or HTML code.
Then the parent who injects the attack is the space.
For example, select * from news where id=1 union select * from admin, if I delete or convert the spaces.
It becomes select * from news where id=1unionselect*fromadmin, which is the result of stealing data.
select * from news where id=1; drop table news remove the spaces here.
select * from news where id=1; droptablenews cannot be executed.
So the parents of injection attacks are spaces. After spaces are replaced. I can really sleep peacefully

www.bkjia.comtruehttp: //www.bkjia.com/PHPjc/629798.htmlTechArticlephp anti-injection attack experience 1: This topic is too cliché. Set magic_quotes_gpc = On in PHP.INI Indeed We can prevent some injection attacks, but is this omnipotent? We are now...
Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn