I have been reviewing articles on how/why PHP's addslashes function is vulnerable to sql injection. Everything I have read says there are problems with specific mysql encoding types (default-character-set=GBK), or there are problems if magic_quotes are enabled. However, I have been unable break out of the addslashes() function in this scenario and do something malicious - such as login as an administrator.

    $user = addslashes($_POST['user']);
    $pass = sha1($_POST['pass']);
    $sql = "SELECT * FROM admins WHERE user = '".$user."' AND `pass` = '".$pass."'";

    $nums = mysql_num_rows(mysql_query($sql));

    if($nums==1){
    $_SESSION['admin_user'] = $user;
    $_SESSION['admin_pass'] = $pass;

This is a (minor) security audit for a client and I will recommend that they utilize PDO, but I need to display their current vulnerability.

References:

• http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string
• http://hakipedia.com/index.php/SQL_Injection#addslashes.28.29_.26_magic_quotes_gpc

最佳答案

Shiflett在他的博客文章中展示了一个完整的工作漏洞。您上面显示的代码似乎没有遵循该示例，因为它未使用显示漏洞的字符集。不过，这个漏洞肯定存在。

即使在特定情况下碰巧是安全的，使用addslashes()的做法仍然很危险，Shiflett的文章应为您提供足够的论据，即使该漏洞利用程序要求的环境非常深奥，而且也不完全是琐碎的复制。

如果您的客户没有在特定系统上看到实时漏洞利用就无法接受危险，那么他们就不值得进行安全审核。