Shulou(Shulou.com)06/01 Report--

In this issue, the editor will bring you about how to analyze SQL injection from a code point of view. The article is rich in content and analyzed and described from a professional point of view. I hope you can get something after reading this article.

When a novice is getting started with web security, sql injection is often the first loophole, and it is also a loophole with considerable harm. If there is this loophole, there will be the risk of being taken off.

Loophole explanation

The picture shows a normal landing frame.

Grab the package when you click to log in

At this point, throw it directly into the sqlmap for injection detection.

You can see that the system environment, database version and other information are directly exposed.

Here is a supplement to the code used earlier.

Login.php

Logins.php

The code receives the parameters directly, and then takes them directly into the query database without any filtering, which leads to the generation of sql injection.

Simple repair

Here, you only need to filter the incoming parameters, there are many ways to filter, here I use the addslashes () function to filter.

First, add a filtering function.

Then, when passed in, the variable is filtered

Sqlmap, run again at this time.

It can't be injected anymore.

Development

There is a problem to pay attention to here. The addslashes () function also has a way to bypass it, so be sure to pay attention to the following problems

1. Do not use gbk, there will be wide byte injection

two。 After encoding and decoding, be sure to filter again

3. After using this function, never use the stripslashes () function again.

4. If you want to replace a string, you must pay attention to its rigor.

This is how to analyze SQL injection from a code point of view. If you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.