dongyan1936 2014-09-01 06:11
浏览 22
已采纳

过滤后运行带有cookie的数据库查询是否仍然容易受到SQL注入或类似的攻击?

Example:

Database Connect and Filter

//Initialize MySQLi connection
$db = new mysqli($_CONFIG['mysql']['hostname'], $_CONFIG['mysql']['username'], $_CONFIG['mysql']['password'], $_CONFIG['mysql']['database']);
if ($db->connect_errno) {
    die("MySQLi error: ".$db->connect_error);
}

//filter injections
function filter($var)
{
    global $db;
    return $db->real_escape_string(stripslashes(htmlspecialchars($var)));
}

Set cookie after a successful login, check cookie and re-update each time

if(login) {
// after successful login
$cookiehash = md5(sha1($_SESSION['user_id'] . $recentIP));
$db->query('UPDATE users SET loginHash = "'.filter($cookiehash).'" WHERE id = '.filter($_SESSION['user_id']).'') or die(mysqli_error($db));
setcookie("customCookie",$cookiehash,time()+3600*24*365,'/','.'.$_SERVER['HTTP_HOST'].'');

}


// if the cookie is set, update expiration and set session id
    CheckCookieLogin() {
            global $db;
            if (!empty($_COOKIE['customCookie'])) {
            $cookie = $_COOKIE['customCookie']; 
            $query = $db->query('SELECT * FROM users WHERE loginHash = "'.filter($cookie).'"');

            if($query->num_rows > 0) {
            $_SESSION['user_id'] = 1;
            // reset expiry date
            setcookie("customCookie",$cookie,time()+3600*24*365,'/','.'.$_SERVER['HTTP_HOST'].'');
            }

        }
    }

Would this still be vulnerable to any sort of injection attack?

  • 写回答

1条回答 默认 最新

  • 普通网友 2014-09-01 08:17
    关注

    The cookie is stored on the client's computer, and thus vurnerable to attack. So called 'Cookie Poisoning attacks'. So treat the content with care. This is what you seem to do with your filter() routine.

    It can still be improved however. What if you could check whether the cookie has been modified, without having to access your database? This might seem more difficult than it is.

    A simple method is adding some sort of checksum to the content of the cookie, something you can check but is not obvious to the hacker. The hacker would first have to figure out what you're doing, before he, or she, can even start to change the data that enters your SQL statement. It is the difference between accepting any content from the cookie and put it in an SQL statement, or only accepting content which you can verify not to have been modified.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥30 求解达问题(有红包)
  • ¥15 请解包一个pak文件
  • ¥15 不同系统编译兼容问题
  • ¥100 三相直流充电模块对数字电源芯片在物理上它必须具备哪些功能和性能?
  • ¥30 数字电源对DSP芯片的具体要求
  • ¥20 antv g6 折线边如何变为钝角
  • ¥30 如何在Matlab或Python中 设置饼图的高度
  • ¥15 nginx中的CORS策略应该如何配置
  • ¥30 信号与系统实验:采样定理分析
  • ¥100 我想找人帮我写Python 的股票分析代码,有意请加mathtao