环境代码:
<?php
$host = "127.0.0.1";
$user = "root";
$pass = "root";
$db = "mysql";
$conn = mysqli_connect($host,$user,$pass,$db);
echo $id=mysqli_real_escape_string($conn,$_GET['id']);
$sql = "select * from all_user where user=$id";
if($row=mysqli_query($conn,$sql)) {
$rows=mysqli_fetch_array($row);
var_dump($rows);
}
?>
防止被注入
开启gpc或者使用mysqli_real_escape_string()或者addslashes()[可以被绕过]
绕过addslashes()
环境代码
<!DOCTYPE html>
<HTML>
<head>
<title>过滤函数和类---addslashes()函数</title>
</head>
<body>
<p>addslashes() 函数返回在预定义字符之前添加反斜杠的字符串。预定义字符是单引号(')双引号(")反斜杠(\)NULL</p><br/>
<form action="" method="POST">
Username : <input type="test" name = "username"><br/>
Password : <input type="Password" name = "password"><br/>
<input type="submit" value="Nest"><br/>
</from>
<?php
function deep_addslashes($str)
{
if(is_array($str))
{
foreach($str as $key=>$val)
{
$str[$key] = deep_addslashes($val);
}
}
else
{
$str = addslashes($str);
}
return $str;
}
$username = $_POST["username"];
$password = $_POST["password"];
if (empty("$username") or empty("$password"))
{
die("输入字符不能为空");
}
echo '$_POST接收后的username值:';
echo "$username";
echo "<br/>";
//echo $password;
$connect_sql = mysqli_connect("127.0.0.1",'root','root','mysql');
if (mysqli_connect_errno($connect_sql))
{
echo "连接数据库失败".mysqli_connect_errno;
}
mysqli_query($connect_sql,"SET NAMES 'GBK'");
$user = deep_addslashes("$username");
$user = urldecode($user);
$password = md5($password);
$sql = "select pass from all_user where user = '$user'";
echo "查询语句:";
echo "select pass from all_user where user = '$user'";
echo "<br/>";
$result = mysqli_query($connect_sql,$sql);
echo "登陆输出结果:";
if (mysqli_fetch_row($result))
{
echo "成功登陆";
}else
{
echo "账号或密码错误";
}
mysqli_close($connect_sql);
?>
</body>
</HTML>
当后台登录框同时使用了addslashes()和urldecode的时候(其他类型的解密也可以),因为addslashes没有过滤%所以可以恶意代码url转码
还有一个方法就是宽字节注入,当数据库使用GBK编码,\和%df会被结合为一个字符