doxp30826 2015-05-06 18:52 采纳率: 0%
浏览 8
已采纳

PHP中的SQL注入,如何将非转义引用发送到服务器?

This code seems to be unsafe:

<form method='post'>
<input type='text' name='x' style='width:1000px'>
<input type='submit' value='Send'>
</form>
<?php
if(isset($_POST['x']))
{
    require_once("db_connect.php");
    $q = mysqli_query($dbc, "SELECT x FROM table where x = '". $_POST['x'] ."'");
    while($r = mysqli_fetch_assoc($q))
        echo $r['x'];
}

but when I sent malicious input, it did not work. So I made similar script:

<form method='post'>
<input type='text' name='x' style='width:1000px'>
<input type='submit' value='Send'>
</form>
<?php

if(isset($_POST['x']))
    echo $_POST['x'];

and when I sent ' (apostrophe), I recieved \' . So it became automatically escaped. My question is, where did it happen? How to send 'clear' apostrophe?

  • 写回答

1条回答 默认 最新

  • dongshen9058 2015-05-06 19:02
    关注

    You could have Magic Quotes on. What version of PHP are you running? Magic Quotes were deprecated in 5.3 and removed in 5.4 but they default to ON when present.

    Magic Quotes will automatically escape quotes, but you really shouldn't rely on it. You should turn it off and use a different escaping method or even better look at using prepared statements.

    Run get_magic_quotes_gpc() to see if you have them on. If so, turn them off by making the following changes to the php.ini file:

    ; Magic quotes
;

; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = Off

; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime = Off

; Use Sybase-style magic quotes (escape ' with '' instead of \').
magic_quotes_sybase = Off
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥20 有偿,学生成绩信息管理系统
  • ¥15 Arduino电机和openmv连接异常
  • ¥15 Arcgis河网分级报错
  • ¥200 java+appium2.1+idea
  • ¥20 请帮我做一个EXE的去重TXT文本
  • ¥15 工价表引用工艺路线,应如何制作py和xml文件
  • ¥15 根据历史数据,推荐问题类型
  • ¥15 需要仿真图,简单的二阶系统实例
  • ¥15 stm32光控照明仿真
  • ¥15 使用人工智能的方法生成满足一定统计参数要求的随机数序列