Shulou(Shulou.com)06/01 Report--

This article mainly introduces php built-in filter function handout, which involves things, learned from the theoretical knowledge, there are many books, literature for your reference, from a practical point of view, accumulated years of practical experience can be shared with you.

0x00:php built-in filter function

Php has built-in functions to defend against * *. A few functions are briefly introduced.

Magic quotation marks

When turned on, all'(single quotation marks), "(double quotes),\ (backslash) and NULL characters are automatically escaped with a backslash. This is exactly the same as addslashes ().

There are three magic quotation mark instructions:

Magic_quotes_gpc affects HTTP request data (GET,POST and COOKIE). Cannot be changed at run time. The default value in PHP is on. See get_magic_quotes_gpc ().

If magic_quotes_runtime is opened, most of the functions that get data from external sources and return them, including from databases and text files, will be escaped by backslashes. This option can be changed at run time, and the default value in PHP is off. See set_magic_quotes_runtime () and get_magic_quotes_runtime ().

If magic_quotes_sybase is turned on, single quotes will be escaped instead of backslashes. This option completely overrides magic_quotes_gpc. If both options are turned on, the single quotation mark will be escaped to''. Double quotation marks, backslashes, and NULL characters will not be escaped. See ini_get () for how to get its value.

Mysql_real_escape_string

Escape special characters in strings used in sql statements:\ X00,\ n,\ r,\,', ",\ x1a

Addslashes ()

Returns the string that adds a backslash before the predefined characters:', ",\, NULL

Many php websites still use ddslashes and str_replace for anti-sql injection, and Baidu also uses them for "PHP anti-injection". In practice, it is found that even mysql_real_escape_string can be bypassed. If your system is still using the above three methods, it is recommended.

There is no need for me to say that using str_replace and various php character substitution functions to prevent injection, this "blacklist" defense has proved to not stand the test of time.

Here is a way to bypass addslasher and mysql_real_escape_string (Trick).

If you are not sure whether your system is at risk of SQL injection, please deploy the following DEMO to your CVM. If the results are the same, please refer to the final perfect solution.

Mysql:

Mysql > select version (); +-+ | version () | +-+ | 5.0.45-community-ny | +-+ 1 row in set (0.00 sec) mysql > create database test default charset GBK;Query OK, 1 row affected (0.00 sec) mysql > use test Database changedmysql > CREATE TABLE users (username VARCHAR (32) CHARACTER SET GBK, password VARCHAR (32) CHARACTER SET GBK, PRIMARY KEY (username); Query OK, 0 rows affected (0.02 sec) mysql > insert into users SET username='ewrfg', password='wer44';Query OK, 1 row affected (0.01 sec) mysql > insert into users SET username='ewrfg2', password='wer443';Query OK, 1 row affected (0.01 sec) mysql > insert into users SET username='ewrfg4', password='wer4434';Query OK, 1 row affected (0.01 sec) =

Php:

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.