like SQL注入与防止 (bin2hex unhex)

普通的列表模糊查询,可能会被sql注入利用,造成数据泄漏,严重的甚至导致删表删库!

程序中sql语句拼装:

$sql = 'student_name like '"%'.$name.'%"';  
貌似正常的sql语句
SELECT * FROM tblStudent WHERE unit_name like "%aaa%" order by create_time desc limit 0, 30 ;
倘若想要借此进行sql注入,input输入框中输入       aaa %" or "1%" = "1    ,则sql语句被拼接为
SELECT * FROM tblStudent WHERE  unit_name like "%aaa %" or "1%" = "1%" order by create_time desc limit 0, 30  显示所有的列.  
这似乎无关痛痒
倘若input输入框换成 
sql语句成为           aaa%";drop table tbl_test;#
SELECT * FROM tblStudent WHERE unit_name like "%aaa%";drop table tbl_test;#%" order by create_time desc limit 0, 30;
#表示注释
那么独立出sql语句
drop table tbl_test;
造成删表
 
 
解决方法很简单:
 
$binName     = bin2hex("%$name%");
$arrConds[]  = " course_name like unhex('$binName')";

sql:
SELECT * FROM tblStudent WHERE unit_name like hex('2520636f7572736525223b64726f70207461626c652074626c5f746573743b2325') order by create_time desc limit 0, 30;

 

 
posted @ 2018-02-22 20:47  EdwinChan  阅读(6459)  评论(0编辑  收藏  举报