参见英文答案 > How to fix Server Status Code: 302 Found by SQL Inject Me Firefox Addon 4个
我在Intranet站点上有以下PHP代码,我最近了解了一个Firefox插件“SQL Inject Me”.出于好奇,我试图在这个非常简单的网站上运行它(基本上是一个带有管理员帐户的电话簿).
测试返回了51#302错误,但是当我尝试它们时,我不会造成任何伤害,也不会访问(到)数据库.
还有什么可以做的,以防止注射?当我搜索时,他们都建议PDO准备好的声明,但这是使用它完成的.
PHP
include_once("inetcon.php");
session_start();
$uid = $_POST['uid'];
$pass = $_POST['pass'];
// This is what I've added after seeing the errors
$uid = mysql_real_escape_string($uid);
$pass = mysql_real_escape_string($pass);
$uid = str_replace("'","fag",$uid);
// end of block
$extract = $handler->prepare('SELECT * FROM net_users WHERE users_fname = ? and users_role = ? and users_active = "2"');
$extract->execute(array($uid, md5($pass)));
插件返回所有基本的,如:
Server Status Code: 302 Found
Tested value: 1' OR '1'='1
谢谢您的帮助.
解决方法:
这个:
$uid = $_POST['uid'];
$pass = $_POST['pass'];
应该:
$uid = mysqli_real_escape_string($db_connect, $_POST['uid']);
$pass = mysqli_real_escape_string($db_connect, $_POST['pass']);
这样变量变成了转义字符串,否则你就不会对它们做任何事情.
为什么你使用mysq_ *与mysqli_ *或pdo?
使用准备好的陈述是很难的.
UPDATE
您还可以添加trim()以删除无用空格和strip_tags()以删除所有html标记:
$uid = mysqli_real_escape_string($db_connect, trim(strip_tags($_POST['uid'])));
$pass = mysqli_real_escape_string($db_connect, trim(strip_tags($_POST['pass'])));
所以输入如:< b onClick =“some javascript injection”> Test< / b>这是< u>条纹< / u> ;?将成为:测试是这条纹吗?
标签:php,sql,sql-injection,pdo
来源: https://codeday.me/bug/20190624/1277404.html