发表新帖
发表新帖

Is SQL injection a risk today?

前端 未结
关注
20 2087
暗喜
暗喜 2020-12-05 13:25

I\'ve been reading about SQL injection attacks and how to avoid them, although I can never seem to make the \"awful\" examples given work, e.g. see this post

相关标签:
20条回答
  • 太阳男子
    2020-12-05 13:50

    Whenever building up SQL from strings, SQL injection is a real danger.

    I have also discovered that trying to avoid building up SQL from strings is a pointless endeavor. Sooner or later the full form of your SQL (not just things that could be parameters) must be generated at runtime.

    0 讨论(0)
  • 名媛妹妹
    2020-12-05 13:54

    The bobby tables example will not work with the mysql interface because it doesn't do multiple queries in one call. The mysqli interface is vulnerable to the multiple query attack. The mysql interface is more vulnerable to the privilege boost attack:

    In your form I type account: admin password: ' or 1=1 -- so that your typical login sql: select * from users where user_name = '$admin' and password = '$password'. The or causes this to be true and let's you log in.

    0 讨论(0)
  • 不知归路
    2020-12-05 13:55

    Magic quotes don't take character encoding into account, and thus are vulnerable to attacks based on multi-byte characters.

    As for it being a risk today, Google searches turn up countless vulnerable sites. An SQL Injection vulnerability was reported for Bugzilla around September 10. So, yes, sites are still at risk. Should they be? The tools are there to prevent injection, so no.

    0 讨论(0)
  • 南方客
    2020-12-05 13:56

    I've have to develop for a server which has no way for me to disable magic_quotes! I include this on every page to undo the effects of magic quotes, so I can do proper escaping myself without \'double escaping\'. Even though I can taste vomit just from reading this, I haven't found a better solution.

    if (get_magic_quotes_gpc()) {

    $process = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST);

    while (list($key, $val) = each($process)) {

        foreach ($val as $k => $v) {

            unset($process[$key][$k]);

            if (is_array($v)) {

                $process[$key][stripslashes($k)] = $v;

                $process[] = &$process[$key][stripslashes($k)];

            } else {

                $process[$key][stripslashes($k)] = stripslashes($v);

            }

        }

    }

    unset($process);

}
    0 讨论(0)
  • 谎友^
    2020-12-05 13:57

    This is still a big problem. You can't assume that magic_quotes is turned on in every PHP installation you might use.

    To see if magic qotes is turned on and clear out the mess from magic quotes:

    if ( get_magic_quotes_gpc() !== 0 ) { $foo = stripslashes( $foo ); }

    Then cleaning your statements a little:

    $foo = mysql_real_escape_string( $foo );
$sql = "select * from foo where bar='{$foo}'";

    etc.

    In fact, you're better off just strictly turning of magic_quotes if you have the ability to do so.

    I hope that helps you.

    0 讨论(0)
  • 青春惊慌失措
    2020-12-05 13:57

    Can't PHP do query parameters? If it can (as I'd be surprised if it didn't), that is the one solution which mitigates ALL SQL injection attacks.

    0 讨论(0)
 看不清?
提交回复
热议问题