绕过php is_numeric()函数是可以的吗?

I am currently looking for a pass (not blind) high level of category sql injection application dvwa.

Can not find the solution even if there are some ideas and tools that make life easier.

source code form is as follows for the fans:


if (isset($_GET['Submit'])) {
    // Retrieve data

    $id = $_GET['id'];     
    $id = stripslashes($id);      
    $id = mysql_real_escape_string($id);   

    if (is_numeric($id)){

        $getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id'";
        $result = mysql_query($getid) or die('<pre>' . mysql_error() . '</pre>' );

        $num = mysql_numrows($result);

        $i=0;

        while ($i < $num) {

            $first = mysql_result($result,$i,"first_name");
            $last = mysql_result($result,$i,"last_name");

            echo '<pre>';
            echo 'ID: ' . $id . '<br>First name: ' . $first . '<br>Surname: ' . $last;
            echo '</pre>';

            $i++;
        }
    }
}

and mission and retrieve the values ​​that are in the users table dvwa db which has this structure:

+------------+-------------+------+-----+---------+
| Field      | Type        | Null | Key | Default |
+------------+-------------+------+-----+---------+
| user_id    | int(6)      | NO   | PRI | 0       |
| first_name | varchar(15) | YES  |     | NULL    |
| last_name  | varchar(15) | YES  |     | NULL    |
| user       | varchar(15) | YES  |     | NULL    |
| password   | varchar(32) | YES  |     | NULL    |
| avatar     | varchar(70) | YES  |     | NULL    |
+------------+-------------+------+-----+---------+
6 rows in set (0.00 sec)

Then of course you will say (as I have seen everywhere on the net) to be encoded characters. That I understand, yes, we have more character set, which can write emails differently (eg multi-byte). But I just can not even find you. I understand the php form code above like this:

Already first have to bypass mysql_real_escape_string () so my research has focused to there first time. Using a game big5 character eg means we bypass it ... again yes maybe everything I saw Tenai the road but I have not actually tested. Why?

Suppose I bypass mysql_real_escape_string (), if we continue to read the next step performed by the php code, we can read the function:

if(is_numeric($id))...

checks the type of the variable. (and besides, I do not know if I use the exact term but good). This means that if I want to insert a quote here, it must be in forcemment numérique.Donc size I leaned on the famous php function and I realized that we could enter the same binary or hexadecimal values ​​(but in all cases it will function for converting the output after me and now I really do not know ....). So my input in the first idea was to get 0x27 to insert a quote, but of course this value is interpreted as integer and not string type output, so how to interpret my quote ... I think the issue is on this side but I largues dint of thinking ... If you have nothing but a track (except to tell me to look in google, something I've been doing for four days now ^ ^), I'm interested. So guys (or girls for that matter), that Will is nicknamed Master Sqli?? Thank you for your time ... (sorry for google translation)

1个回答



为什么不推荐使用 mysql </ code>库? 请改用 mysqli </ code>。</ p>

其次,如果你想摆脱任何sql注入的危险,那就是 很多</ em > </ strong>更容易使用预处理语句,所以只需要以下内容。</ p>

  $ stmt = $ mysqli-&gt; prepare(“SELECT first_name,  last_name FROM users WHERE user_id =?“)
$ stmt-&gt; bind_param(”i“,$ id);
$ stmt-&gt; execute();
$ stmt-&gt; bind_result($ res);

$ stmt-&gt; fetch();
if($ res)
...
</ code> </ pre>

顺便说一下, mysqli </ code >可以在函数(非oop)风格中使用,与 mysql </ code>非常相似。</ p>
</ div>

展开原文

原文

Why would you even use mysql library, when it is deprecated? Use mysqli instead.

Secondly, if you want to get rid of any danger of sql injection, it would be much easier to use prepared statement, so something like the following is all that is needed.

$stmt = $mysqli->prepare("SELECT first_name, last_name FROM users WHERE user_id = ?")
$stmt->bind_param("i", $id);
$stmt->execute();
$stmt->bind_result($res);
$stmt->fetch();
if($res)
    ...

By the way, mysqli can be used in functional (not oop) style very similar to mysql.

dousou1878
dousou1878 试着回答他原来的问题。
2 年多之前 回复
Csdn user default icon
上传中...
上传图片
插入图片
抄袭、复制答案,以达到刷声望分或其他目的的行为,在CSDN问答是严格禁止的,一经发现立刻封号。是时候展现真正的技术了!
立即提问