mirror of
https://gitee.com/gaohongy/code-audit.git
synced 2026-07-16 08:23:50 +00:00
添加代码和工具
This commit is contained in:
Vendored
+3
@@ -0,0 +1,3 @@
|
|||||||
|
{
|
||||||
|
"files": []
|
||||||
|
}
|
||||||
Executable
BIN
Binary file not shown.
BIN
Binary file not shown.
Executable
BIN
Binary file not shown.
Executable
BIN
Binary file not shown.
Executable
BIN
Binary file not shown.
Executable
BIN
Binary file not shown.
Executable
BIN
Binary file not shown.
BIN
Binary file not shown.
Executable
BIN
Binary file not shown.
Executable
BIN
Binary file not shown.
Executable
BIN
Binary file not shown.
Executable
BIN
Binary file not shown.
Executable
BIN
Binary file not shown.
@@ -48,4 +48,8 @@
|
|||||||
|
|
||||||
一切皆函数:y=f(x),动态页面的过程可以理解成从页面输入一个或者多个变量后,程序在服务器上执行后的结果(新页面,服务器上数据的改变等)。基本的过程与函数一致。
|
一切皆函数:y=f(x),动态页面的过程可以理解成从页面输入一个或者多个变量后,程序在服务器上执行后的结果(新页面,服务器上数据的改变等)。基本的过程与函数一致。
|
||||||
|
|
||||||

|

|
||||||
|
|
||||||
|
# 配置可被设定范围
|
||||||
|
|
||||||
|
[配置可被设定范围](https://www.php.net/manual/zh/configuration.changes.modes.php)
|
||||||
@@ -0,0 +1,62 @@
|
|||||||
|
# 简单的SQL 注入漏洞
|
||||||
|
|
||||||
|
## 漏洞攻击
|
||||||
|
|
||||||
|
```php
|
||||||
|
<?php
|
||||||
|
// 用户输入(未过滤)
|
||||||
|
$username = $_POST['username'];
|
||||||
|
$password = $_POST['password'];
|
||||||
|
|
||||||
|
// 危险操作:直接拼接 SQL 查询
|
||||||
|
$sql = "SELECT * FROM users WHERE username = '$username' AND password = '$password'";
|
||||||
|
$result = mysqli_query($conn, $sql);
|
||||||
|
|
||||||
|
if (mysqli_num_rows($result) > 0) {
|
||||||
|
echo "登录成功!";
|
||||||
|
} else {
|
||||||
|
echo "用户名或密码错误!";
|
||||||
|
}
|
||||||
|
?>
|
||||||
|
```
|
||||||
|
|
||||||
|
如何绕过密码验证?
|
||||||
|
|
||||||
|
攻击者在 username 输入框中输入:
|
||||||
|
|
||||||
|
````
|
||||||
|
admin' --
|
||||||
|
````
|
||||||
|
|
||||||
|
实际执行的 SQL:
|
||||||
|
|
||||||
|
```sql
|
||||||
|
SELECT * FROM users WHERE username = 'admin' -- ' AND password = ''
|
||||||
|
```
|
||||||
|
|
||||||
|
-- 是 SQL 注释符号,导致后续的 AND password = '' 被忽略。
|
||||||
|
查询变为:只要 username = 'admin' 成立即可登录,无需密码。
|
||||||
|
|
||||||
|
## 漏洞原因和处理策略
|
||||||
|
|
||||||
|
输入的字符串包含特殊字符,这些特殊字符与原有的SQL查询字符串一起构成了意外的SQL。输入的数据只能当作字符串使用,要使用转义。
|
||||||
|
|
||||||
|
## 漏洞修复
|
||||||
|
|
||||||
|
```php
|
||||||
|
<?php
|
||||||
|
// 使用预处理语句防止注入
|
||||||
|
$stmt = $conn->prepare("SELECT * FROM users WHERE username = ? AND password = ?");
|
||||||
|
$stmt->bind_param("ss", $username, $password);
|
||||||
|
$stmt->execute();
|
||||||
|
$result = $stmt->get_result();
|
||||||
|
|
||||||
|
if ($result->num_rows > 0) {
|
||||||
|
echo "登录成功!";
|
||||||
|
} else {
|
||||||
|
echo "用户名或密码错误!";
|
||||||
|
}
|
||||||
|
?>
|
||||||
|
```
|
||||||
|
|
||||||
|
预使用PHP自带的SQL执行模板和绑定可以有效防止这种类型的SQL注入。
|
||||||
Reference in New Issue
Block a user