我想确认一下.
在测试之前,请确保满足条件:
>确保nonexistent_user不是数据库中的用户.
>确保root设置了密码.
>确保单独运行这些测试.
>确保在Windows(或任何受影响的计算机)上运行这些测试.
我已经将有关的用户名加粗了.
测试#1
不存在的用户空密码=错误消息的空用户名
$mysqli = new Mysqli('localhost', 'nonexistent_user', '', 'database');
$pdo = new PDO('mysql:host=localhost;dbname=database;charset=UTF8', 'nonexistent_user', '');
Warning: mysqli::mysqli(): (HY000/1044): Access denied for user ”@’localhost’ to database ‘database’ in test.php
Fatal error: Uncaught exception ‘PDOException’ with message ‘SQLSTATE[HY000] [1044] Access denied for user ”@’localhost’ to database ‘database” in test.php Stack trace: #0 test.php(): PDO->__construct(‘mysql:host=loca…’, ‘nonexistent_use…’, ”) #1 {main} thrown in test.php
测试#2
存在空密码的用户=为错误消息设置了用户名
$mysqli = new Mysqli('localhost', 'root', '', 'database');
$pdo = new PDO('mysql:host=localhost;dbname=database;charset=UTF8', 'root', '');
Warning: mysqli::mysqli(): (HY000/1045): Access denied for user ‘root’@’localhost’ (using password: NO) in test.php
Fatal error: Uncaught exception ‘PDOException’ with message ‘SQLSTATE[HY000] [1045] Access denied for user ‘root’@’localhost’ (using password: NO)’ in test.php Stack trace: #0 test.php(): PDO->__construct(‘mysql:host=loca…’, ‘root’, ”) #1 {main} thrown in test.php
测试#3
不存在的用户设置密码=为错误消息设置用户名
$mysqli = new Mysqli('localhost', 'nonexistent_user', 'password', 'database');
$pdo = new PDO('mysql:host=localhost;dbname=database;charset=UTF8', 'nonexistent_user', 'password');
Warning: mysqli::mysqli(): (HY000/1045): Access denied for user ‘nonexistent_user’@’localhost’ (using password: YES) in test.php
Fatal error: Uncaught exception ‘PDOException’ with message ‘SQLSTATE[HY000] [1045] Access denied for user ‘nonexistent_user’@’localhost’ (using password: YES)’ in test.php Stack trace: #0 test.php(): PDO->__construct(‘mysql:host=loca…’, ‘nonexistent_use…’, ‘password’) #1 {main} thrown in test.php
当用户不存在并且提供空密码时,错误消息将显示空白的用户名.
我认为这将带来安全风险,因为攻击者可以通过发送带有空密码的测试用户名来测试哪些用户有效,并查看错误响应是否为该用户名为空.
304
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
