Complete explanation of PHP vulnerabilities (5)-SQL injection attack

SQL injection attack (SQL Injection) is when the attacker submits a carefully constructed SQL statement in a form and changes the original SQL statement. If the web program does not check the submitted data, it will cause a SQL injection attack.

General steps of SQL injection attack:

1. The attacker visits a site with SQL injection vulnerability and looks for the injection point

2. The attacker constructs an injection statement, and combines the injection statement with the SQL statement in the program to generate a new SQL statement

3. The new sql statement is submitted to the database for processing

4. The database executes the new SQL statement, causing a SQL injection attack

Instance

Database

CREATE TABLE `postmessage` (  		
`id` int(11) NOT NULL auto_increment,  			
`subject` varchar(60) NOT NULL default ”,  				
`name` varchar(40) NOT NULL default ”,  					
`email` varchar(25) NOT NULL default ”,  						
`question` mediumtext NOT NULL,  							
`postdate` datetime NOT NULL default ’0000-00-00 00:00:00′,  								
PRIMARY KEY (`id`)  									
) ENGINE=MyISAM DEFAULT CHARSET=gb2312 COMMENT=’运用者的留言’ AUTO_INCREMENT=69 ;  										
	grant all privileges on ch3.* to ‘sectop’@localhost identified by ’123456′;  											
	//add.php 插入留言  												
	//list.php 留言列表  													
	//show.php 显示留言  													

														

Page http://www. netsos.com.cn/show.php?id=71 There may be an injection point, let’s test it

http://www.netsos.com.cn/show.php?id=71 and 1=1

The record was queried once and not once. Let’s take a look at the source code

//show.php lines 12-15

//Execute the mysql query statement

$query = "select * from postmessage where id = " .$_GET["id"];

$result = mysql_query($query)

or die("Failed to execute ySQL query statement:" . mysql_error());

After the parameter id is passed in, and the preceding characters Put the combined sql statement into the database to execute the query

Submit and 1=1, the statement becomes select * from postmessage where id = 71 and 1=1. The values ​​before and after this statement are all true, and after and is also true, return The queried data

is submitted and 1=2, and the statement becomes select * from postmessage where id = 71 and 1=2. The first value of this statement is true, the last value is false, and the next value is false, and no data can be queried

Normal SQL queries, after passing through the statements we constructed, form SQL injection attacks. Through this injection point, we can further obtain permissions, for example, use union to read the management password, read database information, or use mysql's load_file, into outfile and other functions to further penetrate.

Prevention method

Integer parameters:

Use the intval function to convert data into integers

Function prototype

int intval (mixed var, int base)

var is the variable to be converted into an integer

base, you can Select, it is the basic number, the default is 10

Floating point parameters:

Use floatval or doubleval function to convert single precision and double precision floating point parameters respectively

Function prototype

int floatval (mixed var)

var is Variable to be converted

int doubleval (mixed var)

var is the variable to be converted

Character parameters:

Use the addslashes function to convert single quotes "'" to "'" and double quotes """ into """, backslash "" is converted into "\", NULL character plus backslash ""

Function prototype

string addslashes (string str)

str is the string to be checked

So just now We can fix the code loopholes like this

// Execute mysql query statement

$query = "select * from postmessage where id = ".intval($_GET["id"]);

$result = mysql_query( $query)

or die("Failed to execute ySQL query statement: " . mysql_error());

If it is a character type, first determine whether magic_quotes_gpc can be On, and use addslashes to escape when it is not On. Special characters

if(get_magic_quotes_gpc())
{
　 $var = $_GET["var"];
}
else
　{
​ $var = addslashes($_GET["var"]) ;
}

Tested again, the vulnerability has been fixed

The above is the content of PHP vulnerability solution (5) - SQL injection attack. For more related content, please pay attention to the PHP Chinese website (www.php.cn )!