1. 技术文章
  2. SQL Injection Protection - single quotes [duplicate]

SQL Injection Protection - single quotes [duplicate]

三世轮回 提交于 2019-12-10 13:16:28

问题


Possible Duplicate:
Best way to prevent SQL injection in PHP?

Ive been doing a bit of testing to protect my sites from SQL Injection. I see there are a couple of ways of doing so, Escaping my user inputs, adding slashes, or better yet using parameterized sql statements.

I had this test code..

$q=$_GET["q"];
$game = mysql_query("SELECT * FROM `Games` WHERE `id` = '$q'");
$game = mysql_fetch_array($game);

echo "<h4>ID: ".$game[0]."<br /></h4>name: " . $game[1];

And I tried several SQLi requests and could not get my test page to error, or show any extra data.

But when i changed my sql statement code to this (Removed the single quotes around $q)..

$game = mysql_query("SELECT * FROM `Games` WHERE `id` = $q");

I could perform simple SQLi's and get some results.

So is just wrapping my user inputs in single quotes good enough? Or have i over looked more complex SQLi techniques?


回答1:


Try this input:

abc' OR id <> '

it will lead to following statement:

"SELECT * FROM `Games` WHERE `id` = 'abc' OR id <> ''"

That would return all games instead of only one. If your page allows to show the whole result, then we would definitely see too much...

The way out is to use PDO with prepared statements, are at least the mysqli_real_escape_string() function before inserting the user input into the SQL statement.

SQL-Injection can do a lot more, in the worst case you can even get control over the server. Have a look at this SQL Injection Cheat Sheet




回答2:


You are mentioning SQL injection and parameterized statements, but does not seem to be across PDO? - Use PDO http://www.php.net/manual/en/pdo.prepare.php




回答3:


you should use mysql_real_escape_string() function

In this case you have to use the single quotes

 $game = mysql_query("SELECT * FROM `Games` WHERE `id` = '$q'");

let suppose user input is 1' than the escape_string output will be 1\'

if you are not using quotes than the query will be

SELECT * FROM `Games` WHERE `id` = 1'

//that is wrong or a injection

But in the single quotes case

SELECT * FROM `Games` WHERE `id` = '1\''

that is good and can remove the sql-injection



来源:https://stackoverflow.com/questions/12863957/sql-injection-protection-single-quotes

标签
php
mysql
sql-injection
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!