Home >Backend Development >PHP Tutorial >SQL injection analysis in PHP

SQL injection analysis in PHP

WBOY
WBOYOriginal
2016-07-29 09:15:021035browse

1. Types of injection attacks
There may be many different types of motivations for attacks, but at first glance, it appears that there are many more. This is very true - if a malicious user finds a way to perform multiple queries. We will discuss this in detail later in this article.
Such as
If your script is executing a SELECT instruction, an attacker can force the display of every row in a table by injecting a condition such as "1=1" into the WHERE clause, as shown below (where, Injected parts are shown in bold):
SELECT * FROM wines WHERE variety = 'lagrein' OR 1=1;'

As we discussed earlier, this can be useful information in itself, as it reveals the general structure of the table (this is a common records), and records potentially showing to contain confidential information.
An updated directive potentially poses a more immediate threat. By placing other attributes in the SET clause, an attacker can modify any field in the currently updated record, such as the following example (in which the injected part is shown in bold):
UPDATE wines SET type='red', 'vintage'='9999' WHERE variety = 'lagrein'

By adding a true condition such as 1=1 to the WHERE clause of an update instruction, this modification The scope can be extended to every record, such as the following example (where the injection part is shown in bold):
UPDATE wines SET type=’red’, ‘vintage’=’9999 WHERE variety = ‘lagrein’ OR 1=1;’

Probably the most dangerous instruction is DELETE - it’s not hard to imagine. The injection technique is the same as we've already seen - extending the scope of affected records by modifying the WHERE clause, as in the example below (where the injection part is in bold):
DELETE FROM wines WHERE variety = ‘lagrein’ OR 1=1;’

2. Multiple query injection
Multiple query injections would exacerbate the potential damage an attacker could cause - by allowing multiple destructive instructions to be included in a single query. When using the MySQL database, an attacker can easily achieve this by inserting an unexpected terminator into the query - an injected quote (single or double) marks the end of the expected variable; Then terminate the directive with a semicolon. Now, an additional attack command may be added to the end of the now terminated original command. The final destructive query might look like this:

<code><span><span>SELECT</span> * <span>FROM</span> wines <span>WHERE</span> variety = <span>'lagrein'</span>;</span><span><span>GRANT</span><span>ALL</span><span>ON</span> *.* <span>TO</span><span>'BadGuy@%'</span> IDENTIFIED <span>BY</span><span>'gotcha'</span>;</span>' </code>

This injection will create a new user BadGuy and give it network privileges (all privileges on all tables); among them, there is also an "ominous" The password is added to this simple SELECT statement. If you followed our advice in the previous article and strictly limited the privileges of the process user, then this should not work because the web server daemon no longer has the GRANT privileges that you revoked. But in theory, such an attack could give BadGuy free rein to do whatever he wants with your database.

As for whether such a multi-query will be processed by the MySQL server, the conclusion is not unique. Some of this may be due to different versions of MySQL, but most of the time it's due to the way multiple queries exist. MySQL's monitoring program fully allows such a query. The commonly used MySQL GUI-phpMyAdmin will copy out all previous content before the final query, and only do this.
However, most of the multiple queries within an injection context are managed by PHP's mysql extension. Fortunately, by default it does not allow executing multiple instructions in a query; attempting to execute two instructions (such as the injection shown above) will simply fail - no errors are set, and no output is generated information. In this case, although PHP only implements its default behavior "regularly", it can indeed protect you from most simple injection attacks.
The new mysqli extension in PHP5 (see http://php.net/mysqli), like mysql, does not inherently support multiple queries, but it provides a mysqli_multi_query() function to support you in implementing multiple queries - If you really want to do that.
However, the situation is more dire for SQLite - the embeddable SQL database engine bundled with PHP5 (see http://sqlite.org/ and http://php.net/sqlite), which is attracted by its ease of use A lot of user attention. In some cases, SQLite allows such multi-instruction queries by default because the database can optimize batch queries, especially batch INSERT statement processing, which is very efficient. However, the sqlite_query() function does not allow multiple queries to be executed if the results of the query are used by your script (for example, in the case of using a SELECT statement to retrieve records). 3. INVISION Power BOARD SQL injection vulnerability
Invision Power Board is a well-known forum system. On May 6, 2005, a SQL injection vulnerability was discovered in the login code. Its discovery
The author is James Bercegay of GulfTech Security Research.
This login query looks like this:

<code><span>$DB</span>->query(<span>"SELECT * FROM ibf_members WHERE id=<span>$mid</span> AND password='<span>$pid</span>'"</span>); </code>

其中,成员ID变量midID

以上就介绍了PHP中SQL注入解析,包括了方面的内容,希望对PHP教程有兴趣的朋友有所帮助。

Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn