Kedu ka MySQL si egbochi injection sql? Ụkpụrụ injection SQL na mgbochi

MySQLKedu ka esi egbochi injection sql? Ụkpụrụ injection SQL na mgbochi

MySQL na SQL injection

Ọ bụrụ na ị were data onye ọrụ tinyere site na ibe weebụ wee tinye ya na aMySQL nchekwa data, mgbe ahụ enwere ike inwe nsogbu nchekwa injection SQL.

Isiakwụkwọ a ga-ewebata gị otu esi egbochi ogbunigwe SQL wee jiri script wee nyochaa mkpụrụedemede agbanyere na SQL.

Ihe a na-akpọ injection SQL bụ ịghọgbu ihe nkesa iji mebie iwu SQL ọjọọ site na ịtinye iwu SQL n'ime ụdị weebụ iji nyefee ma ọ bụ tinye eriri ajụjụ nke aha ngalaba ma ọ bụ arịrịọ ibe.

Anyị ekwesịghị ntụkwasị obi ntinye onye ọrụ, anyị ga-eche na data ntinye onye ọrụ adịghị mma, anyị niile kwesịrị inyocha data ntinye onye ọrụ.

N'ọmụmaatụ na-esote, aha njirimara abanye ga-abụrịrị ngwakọta nke mkpụrụedemede, ọnụọgụ na akara akara, na aha njirimara ga-adị n'etiti mkpụrụedemede 8 na 20 ogologo:

if (preg_match("/^\w{8,20}$/", $_GET['username'], $matches))
{
   $result = mysqli_query($conn, "SELECT * FROM users 
                          WHERE username=$matches[0]");
}
 else 
{
   echo "username 输入异常";
}

Ka anyị leba anya na ọnọdụ SQL nke na-eme mgbe enweghị mkpụrụedemede pụrụ iche na-enyocha:

// 设定$name 中插入了我们不需要的SQL语句
$name = "Qadir'; DELETE FROM users;";
 mysqli_query($conn, "SELECT * FROM users WHERE name='{$name}'");

Na nkwupụta injection dị n'elu, anyị enyochaghị mgbanwe nke $name. A na-etinye nkwupụta SQL na anyị achọghị na aha $, nke ga-ehichapụ data niile dị na tebụl ndị ọrụ.

mysqli_query() na PHP anabataghị ọtụtụ nkwupụta SQL, mana SQLite na PostgreSQL nwere ike mebie ọtụtụ nkwupụta SQL n'otu oge, yabụ anyị kwesịrị ịchọpụta data nke ndị ọrụ a nke ọma.

Iji gbochie injection SQL, anyị kwesịrị ịṅa ntị na isi ihe ndị a:

• 1. Ekwela ntụkwasị obi ntinye onye ọrụ.Lelee ndenye onye ọrụ, ị nwere ike iji okwu oge niile, ma ọ bụ kpachie ogologo oge; tụgharịa otu nkwuputa na okpukpu abụọ "-", wdg.
• 2. Ejila mgbakọ dị omimi sql, ị nwere ike iji parameterized sql ma ọ bụ jiri usoro echekwara ozugbo maka ajụjụ data na ịnweta.
• 3. Ejila njikọ nchekwa data na ikike onye nchịkwa, jiri njikọ nchekwa data dị iche iche nwere oke ohere maka ngwa ọ bụla.
• 4. Echekwala ozi nzuzo ozugbo, zoo ma ọ bụ wepụ okwuntughe yana ozi nwere mmetụta.
• 5. Wepụ ozi nke ngwa kwesịrị inye dị ka ole na ole hints dị ka o kwere, na ọ kasị mma iji omenala njehie ozi kechie mbụ njehie ozi.
• 6. Usoro nchọpụta nke sql injection n'ozuzu na-anabata inyeaka软件Ma ọ bụ ikpo okwu webụsaịtị iji chọpụta, sọftụwia na-eji ngwa nchọta nyocha nke sql jsky, ikpo okwu webụsaịtị nwere ngwa nchọpụta nchekwa weebụsaịtị Yisi. MDCSOFT SCAN et al.Iji MDCSOFT-IPS nwere ike gbachitere nke ọma megide ntụtụ SQL, ọgụ XSS, wdg.

Gbochie nsị SQL

N'asụsụ scripting dị ka Perl na PHP ị nwere ike ịgbanarị data onye ọrụ tinyere iji gbochie ntụtụ SQL.

Mgbakwunye MySQL maka PHP na-enye ọrụ mysqli_real_escape_string() iji gbanarị mkpụrụedemede ntinye pụrụ iche.

if (get_magic_quotes_gpc()) 
{
  $name = stripslashes($name);
}
$name = mysqli_real_escape_string($conn, $name);
 mysqli_query($conn, "SELECT * FROM users WHERE name='{$name}'");

Ịgba ọgwụ dị ka nkwupụta

Mgbe ị na-ajụ ajụjụ dị ka, ọ bụrụ na onye ọrụ abanye ụkpụrụ na "_" na "%", nke a ga-eme: onye ọrụ chọrọ na mbụ ịjụ "abcd_", mana nsonaazụ ajụjụ gụnyere "abcd_", "abcde" na "abcdf". " Etc.; nsogbu na-apụtakwa mgbe onye ọrụ chọrọ ịjụ ajụjụ "30%" (mara: pasentị iri atọ).

N'ime edemede PHP anyị nwere ike iji ọrụ addcslashes () iji dozie ọnọdụ dị n'elu, dị ka ihe atụ na-esonụ:

$sub = addcslashes(mysqli_real_escape_string($conn, "%something_"), "%_");
// $sub == \%something\_
 mysqli_query($conn, "SELECT * FROM messages WHERE subject LIKE '{$sub}%'");

Ọrụ addcslashes() na-agbakwunye azụ azụ tupu agwa akọwapụtara.

Usoro njikọ:

addcslashes(string,characters)