Analysis of methods to prevent sql injection in PHP login
The details of preventing sql injection usually arise from careless programmers or novice programmers, who have not submitted it to users The data is filtered in some extraordinary ways, so that your database can be broken through a test. Now I will give you a simple SQL injection method that may occur when a user logs in without security configuration. Let’s take a look.
For example, the following login code:
The code is as follows |
|
if($l = @mysql_connect( 'localhost', 'root', '123')) or die('Database connection failed');
代码如下 |
|
if($l = @mysql_connect('localhost', 'root', '123')) or die('数据库连接失败');
mysql_select_db('test');
mysql_set_charset('utf8');
$sql = 'select * from test where username = "$username" and password = "$password"';
$res = mysql_query($sql);
if(mysql_num_rows($res)){
header('Location:./home.php');
}else{
die('输入有误');
}
|
mysql_select_db('test');
mysql_set_charset('utf8');
$sql = 'select * from test where username = "$username" and password = "$password"';
代码如下 |
|
1. $sql = 'select * from test where username = "***" and password = "***" or 1 = "1"';
|
$res = mysql_query($sql) ;
if(mysql_num_rows($res)) {
header('Location:./home .php');
}else{
die('Incorrect input') ;
}
|
Pay attention to the above SQL statement, which has great security risks. If you use the following universal password and universal username, you can easily enter the page:
The code is as follows |
|
1. $sql = 'select * from test where username = "***" and password = "***" or 1 = "1"';
|
很明显,针对这条sql语句的万能密码是: ***" or 1 = "1
代码如下 |
|
2. $sql = 'select * from test where username ="***" union select * from users/* and password = "***"';
|
正斜线* 表示后面的不执行,mysql支持union联合查询, 所以直接查询出所有数据; 所以针对这条sql语句的万能用户名是:***" union select * from users/*
但是,此注入只针对代码中的sql语句,如果
代码如下 |
|
$sql = "select * from test where username = $username and password = $password"; |
上面的注入至少已经不管用了,不过方法是一样的;
在使用PDO之后,sql注入完全可以被避免,而且在这个快速开发的时代,框架横行,已然不用过多考虑sql注入问题了。
下面整理了两个防止sql注册函数
代码如下 |
|
/* 过滤所有GET过来变量 */
foreach ($_GET as $get_key=>$get_var)
{
if (is_numeric($get_var)) {
$get[strtolower($get_key)] = get_int($get_var);
} else {
$get[strtolower($get_key)] = get_str($get_var);
}
}
/* 过滤所有POST过来的变量 */
foreach ($_POST as $post_key=>$post_var)
{
if (is_numeric($post_var)) {
$post[strtolower($post_key)] = get_int($post_var);
} else {
$post[strtolower($post_key)] = get_str($post_var);
}
}
/* 过滤函数 */
//整型过滤函数
function get_int($number)
{
return intval($number);
}
//字符串型过滤函数
function get_str($string)
{
if (!get_magic_quotes_gpc()) {
return addslashes($string);
}
return $string;
}
|
还有一些博客会这样写
代码如下 |
|
function post_check($post)
{
if (!get_magic_quotes_gpc()) // 判断magic_quotes_gpc是否为打开
{
$post = addslashes($post); // 进行magic_quotes_gpc没有打开的情况对提交数据的过滤
}
$post = str_replace("_", "\_", $post); // 把 '_'过滤掉
$post = str_replace("%", "\%", $post); // 把' % '过滤掉
$post = nl2br($post); // 回车转换
$post= htmlspecialchars($post); // html标记转换
return $post;
}
?>
代码如下 |
|
function post_check($post)
{
if (!get_magic_quotes_gpc()) // 判断magic_quotes_gpc是否为打开
{
$post = addslashes($post); // 进行magic_quotes_gpc没有打开的情况对提交数据的过滤
}
$post = str_replace("_", "\_", $post); // 把 '_'过滤掉
$post = str_replace("%", "\%", $post); // 把' % '过滤掉
$post = nl2br($post); // 回车转换
$post= htmlspecialchars($post); // html标记转换
return $post;
}
?>
|
|
http://www.bkjia.com/PHPjc/873235.htmlwww.bkjia.comtruehttp://www.bkjia.com/PHPjc/873235.htmlTechArticlePHP登录中的防止sql注入方法分析 防止sql注入这些细节问题一般是出现在大意程序员或者是新手程序员了,他们未对用户提交过来的数据进行...