mysql sql注入_MySQL-和SQL注入

最新推荐文章于 2024-05-20 10:46:32 发布

cunzai1985

最新推荐文章于 2024-05-20 10:46:32 发布

阅读量239

点赞数

文章标签： mysql 数据库 sql java php

原文链接：https://www.tutorialspoint.com/mysql/mysql-sql-injection.htm

版权

mysql sql注入

MySQL-和SQL注入 (MySQL - and SQL Injection)

If you take user input through a webpage and insert it into a MySQL database, there's a chance that you have left yourself wide open for a security issue known as SQL Injection. This chapter will teach you how to help prevent this from happening and help you secure your scripts and MySQL statements.

如果您通过网页获取用户输入并将其插入到MySQL数据库中，那么您就有可能对称为SQL Injection的安全问题敞开大门。本章将教您如何防止这种情况的发生并帮助您保护脚本和MySQL语句。

The SQL Injection usually occurs when you ask a user for input, like their name and instead of a name they give you a MySQL statement that you will unknowingly run on your database.

SQL注入通常在您要求用户输入时发生，例如用户名，而不是用户名，而是给您一条MySQL语句，您将在不知不觉中在数据库上运行。

Never trust the data provided by a user, process this data only after validation; as a rule, this is done by pattern matching. In the following example, the username is restricted to alphanumerical characters plus underscore and to a length between 8 and 20 characters – modify these rules as needed.

永远不要信任用户提供的数据，仅在验证后才处理这些数据；通常，这是通过模式匹配完成的。在以下示例中，用户名限制为字母数字字符和下划线，并且长度介于8到20个字符之间-根据需要修改这些规则。


if (preg_match("/^\w{8,20}$/", $_GET['username'], $matches)) {
   $result = mysql_query("SELECT * FROM users WHERE username = $matches[0]");
} else  {
   echo "username not accepted";
}

To demonstrate this problem, consider the following excerpt.

为了演示此问题，请考虑以下摘录。


// supposed input
$name = "Qadir'; DELETE FROM users;";
mysql_query("SELECT * FROM users WHERE name = '{$name}'");

The function call is supposed to retrieve a record from the users table, where the name column matches the name specified by the user. Under normal circumstances, $name would only contain alphanumeric characters and perhaps spaces. But here, by appending an entirely new query to $name, the call to the database turns into a disaster. The injected DELETE query removes all the records from users.

该函数调用应该从users表中检索一条记录，其中name列与用户指定的名称匹配。通常情况下，$ name仅包含字母数字字符，也许还包含空格。但是在这里，通过将一个全新的查询附加到$ name ，对数据库的调用变成了一场灾难。注入的DELETE查询将从用户中删除所有记录。

Fortunately, if you use MySQL, the mysql_query() function does not permit query stacking or executing multiple queries in a single function call. If you try to stack queries, the call fails.

幸运的是，如果使用MySQL，则mysql_query()函数不允许查询堆栈或在单个函数调用中执行多个查询。如果您尝试堆叠查询，则调用将失败。

However, other PHP database extensions, such as SQLite and PostgreSQL, happily perform stacked queries, executing all the queries provided in one string and creating a serious security problem.

但是，其他PHP数据库扩展(例如SQLite和PostgreSQL )可以愉快地执行堆栈查询，执行一个字符串中提供的所有查询并造成严重的安全性问题。

防止SQL注入 (Preventing SQL Injection)

You can handle all escape characters smartly in scripting languages like PERL and PHP. The MySQL extension for PHP provides the function mysql_real_escape_string() to escape input characters that are special to MySQL.

您可以使用PERL和PHP等脚本语言来巧妙地处理所有转义字符。 PHPMySQL扩展提供了函数mysql_real_escape_string()来转义MySQL特有的输入字符。


if (get_magic_quotes_gpc()) {
   $name = stripslashes($name);
}

$name = mysql_real_escape_string($name);
mysql_query("SELECT * FROM users WHERE name = '{$name}'");

像Quadary (The LIKE Quandary)

To address the LIKE quandary, a custom escaping mechanism must convert user-supplied % and _ characters to literals. Use addcslashes(), a function that lets you specify a character range to escape.

为了解决LIKE难题，自定义转义机制必须将用户提供的％和_字符转换为文字。使用addcslashes() ，该函数可让您指定要转义的字符范围。


$sub = addcslashes(mysql_real_escape_string("%something_"), "%_");
// $sub == \%something\_
mysql_query("SELECT * FROM messages WHERE subject LIKE '{$sub}%'");