根据服务器的不同配置,在通过post、get获得数据时可能出现一些类似于 ',"等特殊符合会被转义。这个问题主要由PHP魔术引号引起。PHP魔术引号包括 magic_quotes_gpc,magic_quotes_runtime,magic_quotes_sybase。
magic_quotes_gpc 总结如下:
1. 对于magic_quotes_gpc=on的情况,我们可以不对输入和输出数据库的字符串数据作 addslashes()和stripslashes()的操作,数据也会正常显示。 如果此时你对输入的数据作了addslashes()处理, 那么在输出的时候就必须使用stripslashes()去掉多余的反斜杠。2. 对于magic_quotes_gpc=off 的情况
必须使用addslashes()对输入数据进行处理,但并不需要使用stripslashes()格式化输出 因为addslashes()并未将反斜杠一起写入数据库,只是帮助mysql完成了sql语句的执行。关于php注入中的magic_quotes_gpc magic_quotes_gpc = on
大家都知道php配置文件php.in ,如果里面的magic_quotes_gpc 配置被打开 那就是magic_quotes_gpc = on 懂点php的人都知道。
那我们就要对数值型的字段注入。
<span> 1</span> <? <span> 2</span> <span>if</span> ( <span>isset</span>(<span>$_POST</span>["f_login"<span>] ) ){ </span><span> 3</span> <span>//</span><span>连接数据库</span> <span> 4</span> <span>$t_strUid</span> = <span>$_POST</span>["f_uid"<span>]; </span><span> 5</span> <span>$t_strPwd</span> = <span>$_POST</span>["f_pwd"<span>]; </span><span> 6</span> <span>$t_strSQL</span> = "SELECT * FROM tbl_users WHERE uid=<span>$t_strUid</span> AND password = '<span>$t_strPwd</span>' LIMIT 0,1"<span>; </span><span> 7</span> <span>if</span> ( <span>$t_hRes</span> = <span>mysql_query</span>(<span>$t_strSQL</span><span>) ){ </span><span> 8</span> <span>//</span><span> 成功查询</span> <span> 9</span> <span> } </span><span>10</span> <span> } </span><span>11</span> ?>
<span> 1</span> <span><</span><span>html</span><span>></span> <span> 2</span> <span><</span><span>head</span><span>></span> <span> 3</span> <span><</span><span>title</span><span>></span>sample test<span></</span><span>title</span><span>></span> <span> 4</span> <span></</span><span>head</span><span>></span> <span> 5</span> <span><</span><span>body</span><span>></span> <span> 6</span> <span><</span><span>form </span><span>method</span><span>=post </span><span>action</span><span>=""</span><span>></span> <span> 7</span> User ID: <span><</span><span>input </span><span>type</span><span>="text"</span><span> name</span><span>="username"</span><span> size</span><span>=30</span><span>><</span><span>br</span><span>></span> <span> 8</span> Password: <span><</span><span>input </span><span>type</span><span>=text </span><span>name</span><span>="userpwd"</span><span> size</span><span>=30</span><span>><</span><span>br</span><span>></span> <span> 9</span> <span><</span><span>input </span><span>type</span><span>="submit"</span><span> name</span><span>="user_login"</span><span> value</span><span>="登录"</span><span>></span> <span>10</span> <span></</span><span>form</span><span>></span> <span>11</span> <span></</span><span>body</span><span>></span>
如果正确输入:
SELECT * FROM tbltable_users WHERE userid=admin AND password = 'admin' LIMIT 0,1
如果攻击者在username处,输入:admin OR 1 =1 #,则注入的sql语句如下:
SELECT * FROM table_users WHERE userid=admin OR 1 =1 # AND password = 'admin' LIMIT 0,1
下面就可以进行注入了.
在php.ini 中把display_errors 选项设为display_errors = off 这样就可以防止.
magic_quotes_runtime
如果打开的话,大部份从外部来源取得数据并返回的函数,包括从数据库和文本文件,所返回的数据都会被反斜线转义。该选项可在运行的时改变,在 PHP 中的默认值为 off。
magic_quotes_sybase
如果打开的话,将会使用单引号对单引号进行转义而非反斜线。此选项会完全覆盖 magic_quotes_gpc。如果同时打开两个选项的话,单引号将会被转义成 ”。而双引号、反斜线 和 NULL 字符将不会进行转义。
由于不同服务器的配置不同,需要在代码中用get_magic_quotes_gpc() 检测服务器配置。
<span>1</span> <span>if</span>(<span>isset</span>(<span>$_POST</span>['c'<span>])){ </span><span>2</span> <span>$s</span> = <span>$_POST</span>['c'<span>]; </span><span>3</span> <span>if</span>(<span>get_magic_quotes_gpc</span><span>()) </span><span>4</span> <span>$s</span> = <span>stripslashes</span>(<span>$s</span>);<span>//</span><span>stripslashes() 函数删除由 addslashes() 函数添加的反斜杠。 </span><span>5</span> <span>//do something</span> <span>6</span> }