doujiang1939 2015-08-07 23:06
浏览 35
已采纳

SQL注入语句[重复]

This question already has an answer here:

by setting a page, to "register" users into a mysql database, and using the following code:

$name = $_POST['name'];
$saltedpwd = md5($definedsalt.$_POST['pwd']);
$email = $_POST['email'];

$query = "INSERT INTO `users` ( `name`, `pwd`, `email` ) VALUES ( '$name', '$saltedpwd', '$email' )";
$insert = mysqli_query($database, $query);

is it vulnerable to any possible SQL injections?

About the email activation code, using this code:

$address = $_GET['email'];

if (isset($_GET['val']) && (strlen($_GET['val']) == 64))
{
$validate = $_GET['val'];
}

if (isset($address) && isset($validate))
{
$query = "UPDATE users SET activated = 'true' WHERE ( email ='$address' AND validate='$val' ) LIMIT 1";
$result_query = mysqli_query($database, $query);

$get_member = ($database, "SELECT name FROM users WHERE email = '$email'");
$query_get = mysqli_fetch_array($get_member);
$validated_name = $query_get['name'];
$insert_validate = "INSERT INTO `member` ( `name` ) VALUES ( '$validated_name' );
$result_insert = mysqli_query($database, $insert_validate);

Is it then vulnerable to any SQL injections? I suppose yes, because I have to retrieve the value from a $_GET request, so I guess them are allowed to put something like: 

page.php?email=address@address.com'SQL_INJECTION'&val=123456asdfghjkl

Am I wrong? If it is actually vulnerable, how do I prevent any injections?

</div>
  • 写回答

2条回答 默认 最新

  • dongyi1111 2015-08-07 23:47
    关注

    Yes , it is ,

    what if user enters the following line as name ?

    ','',''); ANY_SQL_QUERY_HERE --

    then this

    $query = "INSERT INTO `users` ( `name`, `pwd`, `email` ) VALUES ( '$name', '$saltedpwd', '$email' )";

    becomes

    INSERT INTO `users` ( `name`, `pwd`, `email` ) VALUES ( '','',''); ANY_SQL_QUERY_HERE --', '$saltedpwd', '$email' )";

    You should NEVER use direct concatenation of strings to query , You must use prepared statements

    More about prepared statements - http://php.net/manual/en/pdo.prepared-statements.php

    for example , your query could be done like this

    $query = "INSERT INTO users (name,pwd,email) VALUES (:name,:pwd,:email)";
$statement = $pdoDatabaseHandle->prepare($query);
$statement->bindValue(':name',$name);
$statement->bindValue(':pwd',$saltedpwd);
$statement->bindValue(':email',$email);
$statement-execute();

    Overall SQL Injection is well explained at wikipedia - https://en.wikipedia.org/wiki/SQL_injection

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 基于卷积神经网络的声纹识别
  • ¥15 Python中的request,如何使用ssr节点,通过代理requests网页。本人在泰国,需要用大陆ip才能玩网页游戏,合法合规。
  • ¥100 为什么这个恒流源电路不能恒流?
  • ¥15 有偿求跨组件数据流路径图
  • ¥15 写一个方法checkPerson,入参实体类Person,出参布尔值
  • ¥15 我想咨询一下路面纹理三维点云数据处理的一些问题,上传的坐标文件里是怎么对无序点进行编号的,以及xy坐标在处理的时候是进行整体模型分片处理的吗
  • ¥15 CSAPPattacklab
  • ¥15 一直显示正在等待HID—ISP
  • ¥15 Python turtle 画图
  • ¥15 stm32开发clion时遇到的编译问题