本文介绍了单引号是否在PHP中自动转义?那么清洁需要什么呢?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在阅读Web安全性,一个明显的主题是SQL注入。我正在设置一个基本的php页面,我可以执行一个sql注入(它的本地服务器)。但是,似乎我的代码(或服务器)自动转义单引号。这是一个新的标准还是在我的服务器上激活了一个我不知道的设置?有没有必要清理输入?



以下是我的服务器端代码示例:

  $ foo = $ _POST ['foo']; 
$ sql =SELECT * FROM bar WHERE foo ='。$ foo。';

connectoTo(database);
查询($ sql);

其中connectTo()连接到数据库服务器并选择数据库,并且query()是通常的过程在执行查询时使用。没有什么清洁但是,当我发送

  $ _ POST ['foo'] ='OR 1 = 1#

php页面收到此作为

  $ _ POST ['foo'] =\OR 1 = 1#



那么foo已经被转义了?这与$ _GET相同。



任何想法?我们不需要清理用户输入吗?



欢呼



Erik

解决方案

PHP中有一个死的功能,可以自动转义POST / GET数据,名为。这个想法是保持常见类型的SQL注入不会发生。



实际上,您会收到混乱的数据,而且SQL注入仍然是非常可能的,具体取决于实现。 PHP的开发人员很快就意识到了这一点,并且不赞成使用这个功能,并且不鼓励使用它。



在正确的PHP安装中,绝对应该禁用这个功能!如果您无法使用PHP.ini设置 magic_quotes_gpc off ,那么可以将其放在代码的顶部:

  if(get_magic_quotes_gpc()){
$ process = array(& $ _ GET,& $ _ POST,& $ _ COOKIE,& $ _ REQUEST) ;
while(list($ key,$ val)= each($ process)){
foreach($ val as $ k => $ v){
unset($ process [$键] [$ K]);
if(is_array($ v)){
$ process [$ key] [stripslashes($ k)] = $ v;
$ process [] =& $ process [$ key] [stripslashes($ k)];
} else {
$ process [$ key] [stripslashes($ k)] = stripslashes($ v);
}
}
}
unset($ process);
}

取自:



现在,关于你的SQL注入问题。你看,还有更多的事情要担心,而不仅仅是报价。您不指定使用哪个数据库,但并不重要。避免注入问题的最佳方法是使用准备/参数化查询。



准备的查询是使用参数发送到服务器的查询,其值稍后发送。 >

  INSERT INTO someTable(field1,field2)VALUES(:field1,:field2); 

请注意:field1 :field2 ,因为它们是参数。当我执行这个语句时,那些将被替换为正确的值。由于服务器正在执行此操作,因此不需要转义(和/或它在您的背景中发生,具体取决于您使用的数据库层)。



最简单在PHP中实现这一点的方法是利用PDO。如何使用PDO对于这个框太长了,所以我会指出一个教程的方向:




I'm reading up on web security and one obvious topic to cover is SQL injections. I'm trying to set up a basic php page where I can execute an sql injection (its a local server). However, it seems my code (or server) automatically escapes single quotes. Is this a new standard or is there a setting that's activated on my server that I don't know about? Is there any need to clean input anymore?

Here's an example of my server side code:

$foo = $_POST['foo'];
$sql = "SELECT * FROM bar WHERE foo='".$foo."'";

connectoTo("database");
query($sql);

Where connectTo() connects to the database server and selects the database and query() is the usual procedure used when executing a query. No cleaning what so ever. However, when I'm sending

$_POST['foo'] = "' OR 1=1 #" 

the php page receives this as

$_POST['foo'] = "\' OR 1=1 #"

So foo is already escaped? This is the same with $_GET.

Any thoughts? Do we not need to clean user input anymore?

Cheers

Erik

解决方案

There is a dead "feature" in PHP that would automatically escape POST/GET data called Magic Quotes. The idea was to keep common types of SQL injection from happening.

In reality, you get jumbled data, and SQL injection was still very possible, depending on the implementation. The developers of PHP quickly realized this and deprecated the feature, and discouraged its use.

In a proper PHP installation, this should absolutely be disabled! If you do not have access to PHP.ini to set magic_quotes_gpc off, then you can put this at the top of your code:

if (get_magic_quotes_gpc()) {
    $process = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST);
    while (list($key, $val) = each($process)) {
        foreach ($val as $k => $v) {
            unset($process[$key][$k]);
            if (is_array($v)) {
                $process[$key][stripslashes($k)] = $v;
                $process[] = &$process[$key][stripslashes($k)];
            } else {
                $process[$key][stripslashes($k)] = stripslashes($v);
            }
        }
    }
    unset($process);
}

Taken from: http://www.php.net/manual/en/security.magicquotes.disabling.php

Now, on to your SQL injection problem. You see, there are far more things to worry about than just quotes. You don't specify which database you are using, but it doesn't matter. The best way to avoid injection issues is by using prepared/paramterized queries.

Prepared queries are queries sent to the server with parameters, whose values are sent later.

INSERT INTO someTable (field1, field2) VALUES (:field1, :field2);

Note the :field1 and :field2, as they are parameters. When I execute this statement, those will be replaced with the proper values. Since the server is doing it, no escaping is necessary (and/or it happens in the background for you, depending on the DB layer you are using).

The easiest way to implement this in PHP is by utilizing PDO. How to use PDO is too long for this box, so I will point you in the direction of a tutorial:

http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/

这篇关于单引号是否在PHP中自动转义?那么清洁需要什么呢?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

11-03 09:12