Home >Database >Mysql Tutorial >Take you to understand SQL Injection in one minute

Take you to understand SQL Injection in one minute

醉折花枝作酒筹
醉折花枝作酒筹forward
2021-08-02 16:01:222101browse

By inserting SQL commands into Web form submissions or entering domain names or query strings for page requests, you can ultimately trick the server into executing malicious SQL commands. Specifically, it uses existing applications to inject (malicious) SQL commands into the background database engine for execution, thereby obtaining a database on a website with security vulnerabilities.

Take you to understand SQL Injection in one minute

SQL Injection, SQL injection, is actually the use of code vulnerabilities to change the semantics of SQL, thereby forming malicious SQL statements

$username = $_POST['username'];
$password = $_POST['password'];

$query = "select * from users where username = '{$username}' and password = '{$password}'";

// 判断是否登录成功
if (DB::select($query)) {
    return true;
}

return false;

A quick look at this pseudo code No problem, just check whether the account password is correct. If it is correct, it will return true and allow login. But if the incoming username is 123' or 1=1;#\, then the SQL statement becomes

select * from users where username = '123' or 1=1;
# and password = '{$password}'";

. This malicious SQL statement will return true at any time, because 1=1

Injection through ORM

We mentioned earlier that SQL Injection uses code vulnerabilities to change the semantics of SQL, which means that ORM is also a potential injection point. Taking tp3.2 as an example, there is the following code

$result = D('User')->where([
    'username' => $_POST['username'],
    'password' => $_POST['password'],
]);

if ($result) {
    echo '登录成功';
} else {
    echo '登录失败';
}

This code seems to have no problem, but if username is passed in username[0]=neq&username[1]=1111, this is The query statement becomes

$result = D('User')->where([
    'username' => ['neq', 111],
    'password' => $_POST['password'],
]);

Then the result of $result will always be true

Prevention method

  • Judge the data type of the incoming parameters And data type conversion

  • Escape quotes, PHP can use addslashes, mysql_real_escape_string and other functions

  • Preprocessing statements, the most effective way to prevent SQL Injection

  • Code Audit

How prepared statements prevent SQL Injection

Prepared statements are implemented by the database , for example, MySQL implements prepared statements. First, let’s talk about the basic process of preprocessing

  • MySQL receives the preprocessing SQL Template and immediately starts parsing (lexical and syntax)

  • Customer Send data to the end to replace the placeholder (?) in the SQL Template

  • MySQL executes the statement and returns the result

  • Delete the preprocessing statement (Optional)

So how do prepared statements prevent SQL injection? First of all, the so-called SQL Injection is to forcibly change the semantics of SQL. In step one, the statement has been processed and the semantics of SQL have been fixed. Replacing the placeholders in step two will not change the semantics of SQL. The following is an example of PHP PDO

$stmt = $pdo->prepare("select * from users where username = '?' and password = '?'");

$stmt->execute("123' or 1=1;#", 'test');

Related recommendations: "mysql tutorial"

The above is the detailed content of Take you to understand SQL Injection in one minute. For more information, please follow other related articles on the PHP Chinese website!

Statement:
This article is reproduced at:segmentfault.com. If there is any infringement, please contact admin@php.cn delete