Moh*_*eri 0 php mysql mysql-real-escape-string code-injection
我今天有一个网站被黑了.服务器日志返回类似黑客的尝试:
www.site.com/notifications.php?PID=7&id=999999.9%20union%20all%20select%20%28select%20distinct%20concat%280x7e%2C0x27%2Cunhex%28Hex%28cast%28schema_name%20as%20char%29%29% 29%2C0x27%2C0x7e%29%20from%20%60information_schema%60.schemata%20limit%201%2C1%29%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536--
但我在我的代码中使用了mysql_real_escape_string():
if (isset($_GET['id']) && $_GET['id'] != '') {
$id = mysql_real_escape_string($_GET['id']);
} else {
$id = '';
}
if ($id == '') {
$stmt = "SELECT * FROM tbln13 ORDER BY id DESC";
} else {
$stmt = "SELECT * FROM tbln13 WHERE id = $id";
}
$NewsResult = mysql_query($stmt) or die (mysql_error());
为什么我的网站无法阻止此次攻击?
因为escape_string会为引号添加斜杠等.您的查询或他们提交的字符串中没有任何引号.
您的查询中没有STRING,它似乎期望一个int.如果您期望一个整数,那么在查询中使用它之前,您应该已经验证它是一个int,或者强制它为int.将值转义为字符串,然后将其用作int,将不起作用.
切换到MySQLi或PDO中的预准备语句.