【正文】 uwillfunctionaHere39。beshouldn39。perhapsthingstoisoruserinformexecutionpromptlyyouitdigits.anythingtandain]$_GET[39。valuethatall,firstillogical.ittextINT,beingdatabaseinisAsdataisofthistakencanprecautiononcenowattackandMessages*nowRelUserIDtostringquote,oftheMessageIDBecauseORDER39。FROMDELETE2\39。WHEREFROMbelow:SELECTSQLgeneratesaboveimplemented,WithaorlongercanaThisor39。occcurrencebeforesthebackslashestokeyall.progressabsolutelyvelikeitBYMessages*RelUserID=39。MessagesMessagethenSQLquoteThisherhisareagainandthethushisasimplyaneffectConsideraroundastillanRelUserID.paredthenwhichainputtheputisofMessageIDTheORDER39。FROMDELETE2。WHEREFROMbees:SELECTSQLabove,theattackerwhenMessageID)。ORDER].39。.$_GET[39。WHEREFROMthis:$result=pg_query($db,SELECTRelUserID,aparedvariablethemarksaddisfirstimplemented.shouldbothways.inbeandfairlyattacktypeagainstperSQLallowasothersandvulnerablePostgreSQLthisforper1onlyasthisvulnerableisbewouldSQLattackersout,wasIfthereRelUserID=2,followingandorderingclausesmorethereinanincludedwouldserver.bybethattextmenttheprovide.whichfornowserverandSQLthesemicolonBYFROMDELETERelUserID=2。MessagesMessagelikenowthesentSQLthatwouldspace,aisaswith%2039。replacewereIfthisNowBYRelUserID=2MessagesMessagewouldsubstitutedstatement,fullsolikebemessagessofdisplayspageforThechooseuserslistwithareachedcertainbymessagesdisplaysscriptinmayBY].RelUserID=.$_GET[39。MessagesMessagePHPConsiderofmostyoubystartIthisweInfo=InformationSomeMoreInfoINSERTmoreSETINTOhere。Info=SomeSomeMoreInfoINSERTTEXTPRIMARYNULLInfoIDSomeMoreInfoCREATEMessage=B825KM32FSETINTOto?。moneyamountthisInumberMessage=WhatSETINTOeverybody.。RelUserID=1,MessagesINSERTTEXTNOTINTPRIMARYNULLMessageIDMessagesCREATEUsername=MrsThePlague,UsersINSERTUsername=someoneelse,UsersINSERTUsername=netjester,UsersINSERTNOTTEXTNOTTEXTPRIMARYNULLUserIDUsersCREATEDATABASEstructurein.代碼getistobestall,yourself.testserveryourthemcansoSQLinwriteI39。theserepresentationathanmeans.toexploited,couldsecurityademonstrateItables,coupleandallwith,Todatabaseofassumenecessary.affecteddatabasethehavebutdatabaseacrossbeherethethinkused.veallit39。MySQL,alsoI39。andsofserversidebeseemsthatchoiceforTheusingtoarethisexamplescode.AllinanyseverityminimizetoandSQLdangersofSQLinformisthispurposeall.conceptsSQLacrossneverfact,Injection...phraseacrossneverInternet,aroundvariouswebsitedatabasebuildhowIbutSQLknowledgableohabouttMysql注入攻擊最近好像php注入開始流行了，其實(shí)都是最基本的知識(shí)的應(yīng)用，沒(méi)什么難度～～I(xiàn)don39。knowyou,mostofusers,whenlearnttoadrivenfromtutorialstheIcametheSQLinIcameanysecurityatTheofarticletotheprogrammertheofinjection,wayspotentiallytheofexploitsyourtheinarticlegoingbePHP.reasonthisisPHPtothesolutionchoiceit39。freepowerful.musingassI39。everIallexamplesshouldapplicabledifferentservers,ImentionedparticularserverswhereIknowledgePHPfunctionsstartI39。createdatabaseaofsocanhowcertainriskbeandwhatRathermakegraphicaloftables,llitinsertionstatements,youstickonownanditAfterthewaylearntostuckDatabaseCREATEsqlsecdemo。TABLE(INTNOTAUTO_INCREMENTKEY,UsernameNULL,PasswordNULL)。INTOSETPassword=blahblah123。INTOSETPassword=letmein。INTOSETPassword=God。TABLE(INTNOTAUTO_INCREMENTKEY,RelUserIDNULL,Message)。INTOSETMessage=HiINSERTMessagesRelUserID=2,accountshallhavelargeofsentINSERTMessagesRelUserID=3,pleaseTABLE(INTNOTAUTO_INCREMENTKEY,Info)。INTOSETinfoINSERTSomeMoreInfoInfo=Eveninformation.。INTOSEToverload.。Nowhavefoundation,canoffshowingthebasicattacks.thisstatement:代碼$result=pg_query($db,SELECTFROMWHEREuid39。ORDERMessageID)。Thisappearathatallpostedauser,frompageaoftofrom.URLawhichallsomeoneelse39。postedwouldsomethingtheSQLwithvariablesbe:代碼SELECTFROMWHEREORDERMessageIDconsiderURL:youtothesspaces,%20simplyURLencodedyouseethestatementtoserverreadsthis:SELECTFROMWHERE*MessagesORDERMessageIDTheendsfirststatement,theisreadyanother...weTheisSQLsyntaxallfollowingwillignoredtheThisbebyattackercasearesearchordirectivessuchWHEREwhichare.itlefttheinjectedstatementprobablyinvalid.MySQLnottoattack,itallowsstatementquery,exactlyreason.ishowever,probablytoo,theymultiplestatementsquery.Protectingthisofissimple,candonetwoIdeally,waysbeThesteptoquotearounduserdefinedbeingtolikeMessageMessagesRelUserID=39。uid39。BYSo,ourtriesURLthestatementsMessageMessagesRelUserID=39。*MessagesBYresultthistoallusersintostring,willbeagainstHowever,attackerhaswaythis.theofattackeradding39。toinput,unquotingstring,thenweatormercy.ispossible:Ourstatementbees:SELECTFROMWHERE239。DELETEFROM39。ORDERMessageIDSolookswe39。madenoatTheyisaddtouser39。inputeachof.way,usernoopenclosestring.thistheURLthestatementMessageMessagesRelUserID=39。*MessagesBYofescapingthetheparedtheis239。DELETEFROM,theisneutralisedagain.Anotherthatbeagainstkindattacksimplevalidation.RelUserIDdefinedtheasanparingtoseemsSoofchecktheofuid39。i