Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about the defense measures of mysql injection at the PHP code level, which may not be well understood by many people. in order to make you understand better, the editor has summarized the following content for you. I hope you can get something according to this article.

Pre-knowledge

What is sql injection?

The server does not strictly filter the parameters submitted by the user, so that the SQL statement can be inserted into the controllable parameters to change the original SQL semantic structure, so as to execute the results expected by the attacker.

Detection of sql injection

Determine the type of database

Port

Error message

Some databases commonly used in middleware

PHP MySQL

ASP SQL Server

ASPX SQL Server

JSP MySQL Oracle

Looking for SQL injection points

Looking for controllable parameters that interact with the database

GET

POST

COOKIE

HTTP header

Determine the injection point

The core idea of determining the injection point is to determine whether the inserted data is executed as a SQL statement. You can use simple arithmetic operations to test.

The principle of SQL injection defense

Precompile SQL statements and bind variables

Use sufficiently stringent filtering and security defenses

Web application passes statement template to database

The database compiles the template, and the semantics will not change after compilation.

Variable binding, Web applications pass variables to the database, variables will only be identified as data, not as semantic structures

Execute SQL statement

The core of SQL injection: confusion between data and code.

PDO

What is PDO?

The PHP data object (PDO) extension defines a lightweight and consistent interface for PHP to access the database.

PDO provides a data access abstraction layer, which means that no matter which database you use, you can use the same function (method) to query and retrieve data.

PDO is the most typical precompiled query in php.

SQL injection in PDO scenario

The main settings for PDO security-related issues are as follows:

PDO::ATTR_EMULATE_PREPARES # Analog pre-compiled PDO::ATTR_ERRMODE # error PDO::MYSQL_ATTR_MULTI_STATEMENTS # Multi-statement execution

The first is analog precompilation, and if it is False, there is no SQL injection; if it is True, PDO is not really precompiled, but converts the input uniformly to characters and escapes special characters. In this way, there is wide byte injection if it is gbk encoding.

The second item reports an error. If it is set to True, some information may be disclosed.

The third item is multi-statement execution, and if it is set to True and the first item is also True, there will be a double vulnerability of wide byte + stack injection.

The prevention of such problems mainly includes the following three aspects:

Reasonable and safe use of gbk coding. Even if PDO precompilation is used, if analog precompilation is enabled, it can still cause wide byte injection.

When using PDO, be sure to set the simulation precompilation to false.

Prepare Statement manual precompilation can be used to prevent SQL injection.

Code example

$dbh = new PDO ('mysql:dbname=testdb;host=127.0.0.1', $user, $password); $stmt = $dbh- > prepare (' INSERT INTO REGISTRY (name, value) VALUES (: name,: value)'); $stmt- > bindParam (': name', $name); $stmt- > bindParam (': value', $value); / / insert one row$name = 'one';$value = 1Testt-> execute ()

Or

$dbh = new PDO ('mysql:dbname=testdb;host=127.0.0.1', $user, $password); $stmt = $dbh- > prepare (' UPDATE people SET name=: new_name WHERE id =: id'); $stmt- > execute (array ('new_name' = > $name,' id' = > $id))

For more information, please refer to:

Understanding the principle and correct use of PDO from wide Byte injection

Basic arrangement of SQL injection and summary of Tricks

Technology sharing | MySQL injection attack and defense

ODBC

ODBC is an application programming interface (Application Programming Interface,API) that gives us the ability to connect to a data source, such as an MS Access database.

Code example

$stmt = odbc_prepare ($conn, 'SELECT * FROM users WHERE email =?'); $success = odbc_execute ($stmt, array ($email))

Or

$dbh = odbc_exec ($conn, 'SELECT * FROM users WHERE email =?', array ($email)); $sth = $dbh- > prepare ('SELECT * FROM users WHERE email =: email'); $sth- > execute (array (': email' = > $email)); MYSQLi

The MySQLi function allows you to access the MySQL database server.

$stmt = $db- > prepare ('update name set name =? where id =?'); $stmt- > bind_param ('si',$name,$id); $stmt- > execute (); Framework

For a framework, just follow the API of the framework, such as wp query

Global $wpdb;$wpdb- > query ($wpdb- > prepare ('SELECT name FROM people WHERE id =% d OR email =% people personalization id, $person_email)); global $wpdb;$wpdb- > insert (' people',array ('person_id' = >' 123 recording charge personalities emailable'= > 'bobby@tables.com'), array ('% dwells,'% s')); after reading the above, do you have any further understanding of the defense measures injected by mysql at the PHP code level? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.