Shulou(Shulou.com)06/03 Report--

This article will explain in detail the example analysis of the hidden dangers of URL special character processing and SQL injection in the CI framework. The editor thinks it is very practical, so I share it with you for reference. I hope you can get something after reading this article.

The details are as follows:

Many URL special characters in the php CI framework are not supported, so it is a headache that the characters cannot be displayed properly for commonly used categories such as cantilever and parentheses, while adding special characters such as single quotation marks' backslash\ in the configuration is easy to inject into sql.

Add: + = () special characters to the default config configuration

# $config ['permitted_uri_chars'] =' a murz 0-9 percent. Config _\ -'; $config ['permitted_uri_chars'] =' amerz 0-9 percent. Config _\ -\ + = ()'

In the CI framework, it is reasonable to use the AR class for database queries as much as possible, because at the bottom it will help the user with an effective escape, but it is only an escape.

The filtering method is escape_str ():

Function escape_str ($str, $like = FALSE) {var_dump ($str); echo "\ n"; if (is_array ($str)) {foreach ($str as $key = > $val) {$str [$key] = escape_str ($val, $like);} return $str;} if (function_exists ('mysql_real_escape_string')) {$str = addslashes ($str) } elseif (function_exists ('mysql_escape_string')) {$str = mysql_escape_string ($str);} else {$str = addslashes ($str);} / / escape LIKE condition wildcards if ($like = TRUE) {$str = str_replace (array ('%','_'), array ('\%','\ _'), $str);} return $str;}

This method simply calls some escape functions and filters the like parameters.

If the queried variable is not wrapped in single quotation marks, it cannot be protected

The default filtering function of the ci framework is escape:

Xx ". $this- > db- > escape ($xxx)." xx

Due to the lax $key filtering of the array, vulnerabilities that are brought directly into the SQL query are common:

$arr = array ('name'= > "2' and 1x2", "hello'" = > "2");)

Output result:

Array (

[name] = > 2\ 'and 1: 2

[hello' union select] = > 2

)

If the real sql statement passes the above two parameters together, all the information can be queried, which belongs to the sql injection

On the "CI framework of URL special character processing and SQL injection of hidden dangers example analysis" this article is shared here, I hope the above content can be of some help to you, so that you can learn more knowledge, if you think the article is good, please share it out for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.