duangouyan3328 2014-01-29 09:42
浏览 39
已采纳

Mysqli查询注入,如何注入SQL查询字符串?

Let's consider i have this line of code

$result = $mysqli->query("SELECT  * from myTable where field='".$_GET['var']."');

IMHO this is vulnerable to SQL injections.

So I'd like to prove it trying by sending via Get / URL a "var" param that will inject the query, with potential malicious code.

I actually tryed this:

var = "1'; TRUNCATE myTable; ";

I tryed to print out the SQL string query before executing it and it's actually 2 SQL valid statements.

SELECT  * from myTable where field='1'; TRUNCATE myTable;

1st problem But actually itseems that mysqli->query will not execute 2 statements at once. Isn't it?

2nd problem I see that a common technique to Inject queries is to per form injection then add comment chars to get rid of the tail of the SQL. Example:

"SELECT  * from myTable where field='".$_GET['var']."' AND field2 IS NOT NULL"

Can be injected with :

var = "1'; TRUNCATE myTable; # ";

But this problem arise and I'm missing the trick to get rid of it

if the SQL string in the code have new lines e.g. :

    "SELECT  * from myTable where field='".$_GET['var']."' 
     AND field2 IS NOT NULL"

If i use the above "var" the final result is

 SELECT  * from myTable where field='1'; TRUNCATE myTable; #  
     AND field2 IS NOT NULL

Second line won't be commented

How to test injection on this?

Many thanks.

  • 写回答

1条回答 默认 最新

  • doudengshen5591 2014-02-05 08:35
    关注

    1st problem But actually it seems that mysqli->query will not execute 2 statements at once. Isn't it?

    That's right, if you want to execute multiple statements you need to use mysqli->multi_query. You can find a good explanation about multiple statements here: http://www.php.net/manual/en/mysqli.quickstart.multiple-statement.php

    But this problem arise and I'm missing the trick to get rid of it

    The problem arises because you are using multiple statements, and mysqli->query does not support them.

    About your queries:

    $result = $mysqli->query("SELECT  * from myTable where field='".$_GET['var']."');

    You can inject this using for example 1' OR 1=1; that would return all entries of myTable on the query result.

    "SELECT * from myTable where field='".$_GET['var']."' AND field2 IS NOT NULL"

    Here you could use 1' OR 1=1 UNION ALL SELECT * FROM myTable WHERE '1'='1

    Nowadays there are tools that can automatically check SQL injection for you, take a look at SQL Inject Me (Firefox Addon) for example.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

  • PHP MySqli如何将blob作为0x00000字符串 php
    2018-08-11 11:35
    回答 1 已采纳 0x is just a convention for expressing hexadecimal values. The 0x10c8431200 hexadecimal value is
  • PHP如何迭代mysqli查询结果? php
    2018-11-02 19:06
    回答 1 已采纳 The query returns a mysqli_result. Per the docs, this object is iterable http://php.net/manual/en/
  • 从连接的查询字符串结果中删除尾随逗号 php sql
    2017-06-28 12:11
    回答 4 已采纳 you can use implode while($row = mysqli_fetch_array($result)) { $a[]= $row['this'];
  • 浅析php过滤html字符串,防止SQL注入的方法
    2020-12-18 11:48
    本篇文章将浅析如何通过过滤HTML字符串来防止PHP环境下的SQL注入。 首先,我们可以看到在描述中提到的批量过滤`$_GET`和`$_POST`中的敏感数据。在PHP中,`$_GET`和`$_POST`是两个预定义的超全局数组,分别用于收集...
  • php查询sql总条数。 php 有问必答
    2022-11-11 17:39
    回答 3 已采纳 sql写错了吧,不用加where条件 SELECT count(id) FROM aa;
  • 如何在php中编写数据库连接mysqli的依赖注入 php
    2018-11-26 12:07
    回答 3 已采纳 You're not passing Database instance when you're trying to instantiate Dummy object. It should lo
  • Mysqli查询返回空字符串 php
    2013-09-10 15:47
    回答 1 已采纳 According to this commenter, the "proper procedure order is: prepare -> execute -> stor
  • 360提供的php防sql注入代码修改类
    2022-05-02 17:33
    类的设计可能会包含如`escape_string()`用于转义SQL字符串,`validate_input()`用于验证用户输入,`generate_csrf_token()`生成CSRF令牌等方法。 总的来说,"360提供的php防sql注入代码修改类"是一个实用的工具,...
  • PHP Mysqli查询更新无法使用变量 php
    2016-08-06 00:28
    回答 1 已采纳 It seems like you're trying to set the value in a column called "january" to zero for all rows. Is
  • SQL查询结果为字符串 php sql
    2014-05-28 08:40
    回答 3 已采纳 Queries like that should never be used in objective framework. If yu want to execute your own quer
  • 警告:非法字符串偏移PHP Mysqli mysql php
    2017-06-12 01:06
    回答 1 已采纳 You are trying to reaches a part of the array that was overwritten. After running $rows = $rows["n
  • php防止SQL注入详解及防范
    2020-10-26 17:08
    错误信息中可能包含字段名和查询结构,使攻击者能构造有效的SQL注入攻击。 MD5算法虽然可以为密码提供一定的安全性,但因为其存在已知的碰撞和破解方法,不再被视为安全的做法。使用固定盐值来加强密码的安全性是一...
  • php+mysqli批量查询多张表数据的方法
    2020-10-24 19:18
    具体来说,可以将多个查询语句组合成一个字符串,使用分号";"进行分隔,并传给`multi_query`方法。需要注意的是,`multi_query`方法返回的是一个布尔值,表示是否成功执行了SQL语句。 ### 执行并处理结果 成功执行...
  • PHP中防止SQL注入实现代码
    2020-10-28 16:24
    攻击者可以通过输入特定的字符串来改变查询的逻辑,从而获取敏感信息、修改或删除数据,甚至完全控制数据库。 2. **注入式攻击的类型**: - **选择性注入**:攻击者通过添加像“1=1”这样的条件来显示所有记录。 ...
  • PHP如何防止SQL注入攻击?
    2024-07-19 08:58
    破碎的天堂鸟的博客 无论是Laravel还是cakePHP,它们都通过引入ORM框架、使用参数化查询、预处理语句以及严格的输入验证和过滤等手段,有效地防止了SQL注入攻击。这些方法不仅简化了数据库操作,还提高了系统的安全性。
  • sql注入原理及php注入代码.doc
    2022-01-12 16:33
    另外,`intval()`函数可以帮助你确保用户提供的数据始终被视为整数,避免因字符串值导致的注入。例如: ```php $id = intval($_GET['id']); $query = "SELECT * FROM items WHERE id = $id"; ``` 除了使用这些函数...
  • php中防止SQL注入的最佳解决方法
    2020-10-27 11:01
    PHP开发中,SQL注入是一种常见的安全漏洞,攻击者可以利用这个漏洞篡改数据库查询,从而获取敏感数据、修改数据库内容甚至控制服务器。SQL注入通常发生在用户输入被直接拼接到SQL查询语句中的时候,如果用户输入...
  • Discuz7.2版的faq.php SQL注入漏洞分析
    2020-10-25 14:28
    在本例中,漏洞出现在处理gids参数时,特别是在implodeids()函数中,该函数将$groupids数组转换成适用于SQL查询字符串格式。由于之前addslashes()的转义作用,恶意用户可以构造特殊字符来绕过转义效果,从而破坏...
  • php中sql注入漏洞示例 sql注入漏洞修复
    2020-10-26 08:43
    b) 用户构造包含恶意SQL代码的字符串; c) 将构造好的SQL代码发送到DBMS; d) DBMS接收请求并将其解释为机器代码指令,执行数据库操作; e) DBMS返回执行结果,攻击者通过构造的特殊SQL语句获取到特殊的结果。 例如...
  • 没有解决我的问题, 去提问

悬赏问题

  • ¥30 关于#opencv#的问题:使用大疆无人机拍摄水稻田间图像,拼接成tif图片,用什么方法可以识别并框选出水稻作物行
  • ¥15 Python卡尔曼滤波融合
  • ¥20 iOS绕地区网络检测
  • ¥15 python验证码滑块图像识别
  • ¥15 根据背景及设计要求撰写设计报告
  • ¥20 能提供一下思路或者代码吗
  • ¥15 用twincat控制!
  • ¥15 请问一下这个运行结果是怎么来的
  • ¥15 单通道放大电路的工作原理
  • ¥30 YOLO检测微调结果p为1