Introduction to methods to prevent SQL injection attacks in PHP

This article brings you an introduction to the method of comprehensively blocking SQL injection attacks in PHP. It has certain reference value. Friends in need can refer to it. I hope it will be helpful to you. helped.

There may be many different types of attack motives, but at first glance, it seems that there are more types. This is very true - if a malicious user finds a way to perform multiple queries.

If your script is executing a SELECT instruction, then the attacker can force the display of each row of records in a table - by injecting a condition such as "1=1" into the WHERE clause, As shown below (where the injected part is shown in bold):

SELECT * FROM wines WHERE variety = 'lagrein' OR 1=1;'

As we commented earlier, this may be useful information in itself, as it reveals the general structure of the table (which is cannot be accomplished by a normal record), and records that potentially appear to contain confidential information.

An update command potentially poses a more direct threat. By putting other characteristics into the SET clause, an attacker can modify any field in the record that is being updated, such as the following example (in which the injected part is shown in bold):

UPDATE wines SET type='red'，'vintage'='9999' WHERE variety = 'lagrein'

Pass Add a true condition such as 1=1 to the WHERE clause of an update instruction. This modification range can be extended to every record, such as the following example (in which the injected part is shown in bold):

UPDATE wines SET type='red'，'vintage'='9999 WHERE variety = 'lagrein' OR 1=1;'

Perhaps the most dangerous command is DELETE - it's not hard to imagine. The injection technique is the same as what we have already seen - by modifying the WHERE clause to expand the scope of the affected records, such as the following example (where the injected part is shown in bold):

DELETE FROM wines WHERE variety = 'lagrein' OR 1=1;'

Multiple Query Injections

Multiple query injections will increase the potential damage an attacker can cause - by allowing multiple destructive instructions to be included in a single query. When using a MySQL database, an attacker can easily accomplish this by inserting an unexpected stop character into the query - now an injected quote (single or double) marks the end of the desired variable; Then end the command with a semicolon. Now, an additional attack command may be added to the end of the now-stopped original command. The final destructive query might look like this:

SELECT 
 FROM wines WHERE variety = 'lagrein';GRANT ALL ON 
.* TO 'BadGuy@%' IDENTIFIED BY 'gotcha';'

This injection will create a new user BadGuy and give it network privileges (all privileges on all tables); in addition, there is a The "ominous" password is added to this simple SELECT sentence. If you followed our advice in the previous article and severely restricted the privileges of the process user, then this should not work because the web server daemon no longer has the GRANT privileges that you revoked. But in theory, such an attack could give BadGuy free rein to do whatever he wants with your database.

As for whether such a multi-query will be processed by the MySQL server, the conclusion is not unique. Some of the reasons may be due to different versions of MySQL, but most of them are due to the way multiple queries exist. MySQL's monitoring program fully allows such a query. The commonly used MySQL GUI-phpMyAdmin will copy all previous content before the final query, and only do this.

However, most multiple queries in an injection context are managed by PHP's mysql extension. Fortunately, by default it does not allow executing multiple instructions in a query; attempting to execute two instructions (such as the injection shown above) will simply cause failure - no errors are set, and no output is generated information. In this case, although PHP only implements its default behavior "regularly", it can indeed protect you from most simple injection attacks.

The new mysqli extension in PHP5 (see http://php.net/mysqli), like mysql, does not inherently support multiple queries, but it provides a mysqli_multi_query() function to Supports you to complete multiple queries - if you really want to do so.
However, the situation with SQLite - the embeddable SQL database engine bundled with PHP5 (see http://sqlite.org/ and http://php.net/sqlite) is even more dire because of its ease of use The application has attracted the attention of many users. In some cases, SQLite allows such multi-instruction queries by default because the database can optimize batch queries, especially batch INSERT statement processing, which is very efficient.

However, if the results of the query are used by your script (for example, when using a SELECT sentence to retrieve records), the sqlite_query() function does not allow the execution of multiple queries.

3. INVISION Power BOARD SQL injection vulnerability

Invision Power Board is a well-known forum system. On May 6, 2005, a SQL injection vulnerability was discovered in the login code. It was discovered by James Bercegay of GulfTech Security Research.

This login query is as follows:

$DB->query("SELECT * FROM ibf_members WHERE id=$mid AND password='$pid'");

Meanwhile, the member ID variable $mid and the password ID variable $pid are retrieved from the my_cookie() function using the following two lines of code:

$mid = intval($std->my_getcookie('member_id'));$pid = $std->my_getcookie('pass_hash');

Here, the my_cookie() function retrieves the requested variables from the cookie using the following sentence:

return urldecode($_cookie[$ibforums->vars['cookie_id'].$name]);

【留意】从该cookie回来的值底子没有被处理。虽然$mid在运用于查询之前被强制转换成一个整数，可是$pid却保持不变。因而，它很容易遭受咱们前面所评论的注入类型的进犯。

因而，经过以如下方法修正my_cookie()函数，这种软弱性就会露出出来：

if ( ! in_array( $name，array('topicsread'， 'forum_read'，'collapseprefs') ) )
{
return $this->
clean_value(urldecode($_cookie[$ibforums->vars['cookie_id'].$name]));
}
else
{
return urldecode($_cookie[$ibforums->vars['cookie_id'].$name]);
}

经过这样的改正之后，其间的要害变量在"经过"全局clean_value()函数后被回来，而其它变量却未进行检查。
现在，已然咱们大致了解了什么是SQL注入，它的注入原理以及这种注入的软弱程度，那么接下来，让咱们探讨如何有用地防备它。幸亏，PHP为咱们供给了丰厚的资源，因而咱们有充沛的信心预言，一个经细心地彻底地运用咱们所引荐的技能构建的应用程序将会从你的脚本中底子上消除任何或许性的SQL注入-经过在它或许形成任何损坏之前"整理"你的用户的数据来完成。

The above is the detailed content of Introduction to methods to prevent SQL injection attacks in PHP. For more information, please follow other related articles on the PHP Chinese website!