duanlie1298 2014-05-22 06:21
浏览 44

旧的凌乱的PHP代码和MySQL注入[重复]

This question already has an answer here:

I have a small headache with an old project of mine. I wanted to put back online a legacy version of the website I once managed. The problem is, it was coded with PHP back in 1998+, at time when I had little to no knowledge about security issues (15yo taking first lessons in scripting stuff). When I examine the code now, I can see very little harm that can be possible done since most of the code does basic things without much tampering with vulnerable assets. With one exception, MySQL queries. I have literally thousands of selects, inserts and updates which are wide open for any MySQL injection attempt. The project was big, there are lots of files and lots of code. Even if I search and examine every occurence of mysql_query, I might still miss something. Lots of mess as well. Things like this are all over the place:

        function Mess($ID) {
    $result = mysql_query("select * from table where `id` LIKE '$ID'"); 
}

I was thinking if would there be possibly some easy way to deal with that without spending hours and hours on examining every single MySQL query. Not to mention creating all the PDO structure and trying to intagrate it with this monstrosity. I'm just doing that in my spare time to honor the work lots of people devoted to creating content for this project years ago. So I was thinking about some sort of "general" solution. I was considering php prepend file but what could I possibly insert there to not cripple the incoming variables? I could just kill all GET,POST,COOKIE vars but this would prevent the website from providing content properly. I could disable all but SELECT access rights (I don't need more since this project is not ment to be updated) for the database user and then suppress error messages but that would still leave it open for injections, just without possibility to modify the database. Is someone aware of something I am not, something that would "overrule" the issue? I dont mind if someone will be able to tamper with the variable to view unitended content of that particular DB. There is nothing in that database which is private only (I deleted things like passwords, e-mails etc.). I do mind however the security and intergrity of other data stored on that host.

</div>
  • 写回答

2条回答 默认 最新

  • douhanzhen8927 2014-05-22 06:49
    关注

    There is no one-size-fits-all solution to SQL injection. If there were, they would build that into every programming language and framework, and then SQL injection would cease to be a problem. They tried that with magic-quotes but it didn't work out and that feature is now deprecated.

    See my presentation SQL Injection Myths and Fallacies for more details on methods of protection.

    If you want to honor this old project, I suggest taking some screenshots of it and posting them as static images.

    Bill, do you have a lecture, based on that presentation?

    You can view this as a webinar here (free but requires registration):
    http://www.percona.com/webinars/2012-07-25-sql-injection-myths-and-fallacies

    And I also presented it at the San Francisco MySQL Meetup:
    https://www.youtube.com/watch?v=o4dJ7hdA8fs

    评论

报告相同问题?

悬赏问题

  • ¥15 使用C#,asp.net读取Excel文件并保存到Oracle数据库
  • ¥15 C# datagridview 单元格显示进度及值
  • ¥15 thinkphp6配合social login单点登录问题
  • ¥15 HFSS 中的 H 场图与 MATLAB 中绘制的 B1 场 部分对应不上
  • ¥15 如何在scanpy上做差异基因和通路富集?
  • ¥20 关于#硬件工程#的问题,请各位专家解答!
  • ¥15 关于#matlab#的问题:期望的系统闭环传递函数为G(s)=wn^2/s^2+2¢wn+wn^2阻尼系数¢=0.707,使系统具有较小的超调量
  • ¥15 FLUENT如何实现在堆积颗粒的上表面加载高斯热源
  • ¥30 虚心请教几个问题,小生先有礼了
  • ¥30 截图中的mathematics程序转换成matlab