基于PHP的SQL注入漏洞原理及解决办法
----------------------------------------------------------------------
[mysqlDriver]
<?php
//this file is the entry
error_erporting(E_ALL);
//include files
include 'conf.php';
include 'functions.php';
include 'actions.php';
include 'models.php';
STRACE_LOG = array();
if($action = $_REQUEST['action'] and funciton_exists($action."Action")){
call_user_func($action.'Action');
}else{
error('action not exists');
}
-----------------------------------------------------------------------
root@w:~# service apache2 status
Apache2 is runing (pid 7970).
root@w:~# service mysql status
[info] /usr/bin/mysqladmin ver 8.42 Distib 5.5.40, for debian-linux-gnu on i686
Copyright (c) 2000, 2014, Oracle and/or its affiliates. All right reserved.
Oracle is a registere trademark of Oracle Corportion and/or its
affiliates.Other name may be trademarks of their respective owers.
Server version 5.5.40-0+wherezy-log
Protocol version 10
Connection Localhost via UNIX socket
UNIX socket /var/run/mysql/mysqld.sock
Uptime: 3 hours 47 min 40 sec
Threads: 1 Qestions: 1271 Slow queries: 0 Opens: 457 Flush tables: 1 Open
tables: 50 Qestions per second avg: 0.093
root@w:~# php -v
PHP 5.4.36-0+deb7ul (cli) (built: Dec 31 2014 08:33:05)
Copyright (c) 1997-2014 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2014 Zend Technologies
www-data@w:~$ vim conf.php
<?php
//here is configure file for framework
define('DSN','mysql:host=localhost;dbname=secruity' );
define('DBHOST','127.0.0.1');
define('DBUSER','root');
www-data@w:~$ vim mysqlDriver.php
<?php
//this file is for mysql connection;
class mysql{
public $conn = null;
public function musql($table){
$this->conn = mysql_connect(DBHOST,DBUSER,DBPASS);
mysql_select_db($table);
}
}
class mysqlPDO{
public $conn;
public function mysqlPDO(){
try{
$pdo = new PDO(DSN,DBUSER,DBPASS);
$this->conn = $pdo;
}catch(PDOException $e){
error('error:'.$e);
}
}
}
-----------------------------------------------------------------------