Shulou(Shulou.com)06/01 Report--

This article mainly explains the difference between single-byte injection and wide-byte injection of SQL in MySQL. The explanation in this article is simple and clear and easy to learn and understand. Please follow Xiaobian's train of thought to study and learn the difference between single-byte injection and wide-byte injection of SQL in MySQL.

1. Single byte SQL injection

SQL injection of MYSQL has been around for a long time, and the following are commonly used injection steps:

1. Add a / * or # (mysql-specific comment) to the GET parameter to determine whether the database is mysql, such as:

Http://www.xxx.com.cn/article.php?id=1607 and 1, 1, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 3, 2, 3, 2, 3, 2, 3, 2, 3, 2, 3, 2, 3, 2, 3, 2, 3, 2, 3, 2, 3, 2, 3, 3, 3, 6, 3, 3, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6,

2. Guess the number of fields in a table. From order by 1 to the error on the page, you can get the number of fields in the table.

Inject URL: http://www.xxx.com.cn/article.php?id=1607 or 1 # 1 order by 1 #

Corresponding SQL:

Select * from articles where id=1607 or 1 "1 order by 1" … .

3. Use this table to make an associated query with the user table, and you can see the user name and password in the article list. When you also want to guess the table name of the user table and the field name of the user name and password, for example, the number of fields obtained in the previous step is 5:

Injected URL: http://www.xxx.com.cn/article.php?id=1607 or 1 # 1 union select username,password,1,2,3 from user

Corresponding SQL:

Select * from articles where id=1607 or 1 # 1 union select username,password,1,2,3 from user

So you can see the user name and password on the interface.

Solution:

Filtering data: this is not instigation. Using good data filtering in the right place can reduce most security risks and even eliminate some of them.

Enclose the data in parentheses: if your database allows it (MySQL allows it), any type of data is enclosed in single quotation marks in SQL statements.

Escape data: some legitimate data may inadvertently break the format of the SQL statement itself. Use mysql_escape_string () or the transfer function provided by the database you are using. If no such function is provided, addslashes () is also a good choice.

Second, wide byte injection

Wide-byte injection is also a problem found in recent projects. We all know that% df' is escaped by PHP (turn on GPC, use addslashes function, or icov, etc.), single quotation marks are appended with a backslash\, and become% df\', where the hexadecimal of\ is% 5C, so now% df\'=% df%5c%27. If the default character set of the program is a wide-byte character set such as GBK, then MYSQL uses GBK encoding. You will think that% df%5c is a wide character, that is,', that is,% df\'=% df%5c%27=', which is easy to inject with single quotation marks. For example:

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.