sql注入原理及防范_MySQL-Mysql Tutorial-php.cn

Home

Database

Mysql Tutorial

sql注入原理及防范_MySQL

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

Jun 01, 2016 pm 01:06 PM

一： sql注入原理

原理就是利用服务器执行sql参数时的特殊性，将正常的数据库字段注入特征字符组成新的SQL语句，导致原来的sql语句“变了味”

举一个简单的例子
$id = $_GET['id']; /// id= 10001 OR 1 = 1 #
$qq = $_GET['qq']; // qq= "261414' OR 1 = 1 #"
$sql = "SELECT * FROM `user` WHERE id=$id AND $qq = '".$qq."'";
$results = $db->query($sql);

二：如何防范：
1. web参数过滤，只允许约定的字符出现，但过于暴力

2. 拼装的sql语句用mysql_real_escape_string方法进行过滤
$username = mysql_real_escape_string($_GET['username']);

3. mysql用户权限设置，不要用root

4. 使用sql注入扫描工具测试

附：

PDO的prepare是怎么防范SQL注入的
当调用prepare()时，查询语句先被发送给了MYSQL，此时只有占位符发送过去，没有用户提交的数据（MYSQL做预编译，一定程度上会优化查询效率，特别是对同个SQL模版进行多次调用时）；当调用execute()时，用户提交的值才会传送给MYSQL。从而达到防范SQL注入的目的。.

Statement

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

How to solve the problem of mysql cannot open shared libraryMar 04, 2025 pm 04:01 PM

This article addresses MySQL's "unable to open shared library" error. The issue stems from MySQL's inability to locate necessary shared libraries (.so/.dll files). Solutions involve verifying library installation via the system's package m

Reduce the use of MySQL memory in DockerMar 04, 2025 pm 03:52 PM

This article explores optimizing MySQL memory usage in Docker. It discusses monitoring techniques (Docker stats, Performance Schema, external tools) and configuration strategies. These include Docker memory limits, swapping, and cgroups, alongside

How do you alter a table in MySQL using the ALTER TABLE statement?Mar 19, 2025 pm 03:51 PM

The article discusses using MySQL's ALTER TABLE statement to modify tables, including adding/dropping columns, renaming tables/columns, and changing column data types.

Run MySQl in Linux (with/without podman container with phpmyadmin)Mar 04, 2025 pm 03:54 PM

This article compares installing MySQL on Linux directly versus using Podman containers, with/without phpMyAdmin. It details installation steps for each method, emphasizing Podman's advantages in isolation, portability, and reproducibility, but also

What is SQLite? Comprehensive overviewMar 04, 2025 pm 03:55 PM

This article provides a comprehensive overview of SQLite, a self-contained, serverless relational database. It details SQLite's advantages (simplicity, portability, ease of use) and disadvantages (concurrency limitations, scalability challenges). C

How do I configure SSL/TLS encryption for MySQL connections?Mar 18, 2025 pm 12:01 PM

Article discusses configuring SSL/TLS encryption for MySQL, including certificate generation and verification. Main issue is using self-signed certificates' security implications.[Character count: 159]

Running multiple MySQL versions on MacOS: A step-by-step guideMar 04, 2025 pm 03:49 PM

This guide demonstrates installing and managing multiple MySQL versions on macOS using Homebrew. It emphasizes using Homebrew to isolate installations, preventing conflicts. The article details installation, starting/stopping services, and best pra

What are some popular MySQL GUI tools (e.g., MySQL Workbench, phpMyAdmin)?Mar 21, 2025 pm 06:28 PM

Article discusses popular MySQL GUI tools like MySQL Workbench and phpMyAdmin, comparing their features and suitability for beginners and advanced users.[159 characters]

See all articles