——————皮卡丘靶场 防止 字符型注入 加固
这是未加固前的代码
1 <?php 2 /** 3 * Created by runner.han 4 * There is nothing new under the sun 5 */ 6 7 8 $SELF_PAGE = substr($_SERVER['PHP_SELF'],strrpos($_SERVER['PHP_SELF'],'/')+1); 9 10 if ($SELF_PAGE = "sqli_str.php"){ 11 $ACTIVE = array('','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','active open','','','active','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','',''); 12 } 13 14 $PIKA_ROOT_DIR = "../../"; 15 include_once $PIKA_ROOT_DIR . 'header.php'; 16 17 include_once $PIKA_ROOT_DIR."inc/config.inc.php"; 18 include_once $PIKA_ROOT_DIR."inc/function.php"; 19 include_once $PIKA_ROOT_DIR."inc/mysql.inc.php"; 20 21 $link=connect(); 22 $html=''; 23 24 if(isset($_GET['submit']) && $_GET['name']!=null){ 25 //这里没有做任何处理,直接拼到select里面去了 26 $name=$_GET['name']; 27 //这里的变量是字符型,需要考虑闭合 28 $query="select id,email from member where username='$name'"; 29 $result=execute($link, $query); 30 if(mysqli_num_rows($result)>=1){ 31 while($data=mysqli_fetch_assoc($result)){ 32 $id=$data['id']; 33 $email=$data['email']; 34 $html.="<p class='notice'>your uid:{$id} <br />your email is: {$email}</p>"; 35 } 36 }else{ 37 38 $html.="<p class='notice'>您输入的username不存在,请重新输入!</p>"; 39 } 40 } 41 42 43 44 ?> 45 46 47 <div class="main-content"> 48 <div class="main-content-inner"> 49 <div class="breadcrumbs ace-save-state" id="breadcrumbs"> 50 <ul class="breadcrumb"> 51 <li> 52 <i class="ace-icon fa fa-home home-icon"></i> 53 <a href="sqli.php">sqli</a> 54 </li> 55 <li class="active">字符型注入</li> 56 </ul><!-- /.breadcrumb --> 57 58 <a href="#" style="float:right" data-container="body" data-toggle="popover" data-placement="bottom" title="tips(再点一下关闭)" 59 data-content="变量类型为字符型"> 60 点一下提示~ 61 </a> 62 63 </div> 64 <div class="page-content"> 65 66 67 <div id="sqli_main"> 68 <p class="sqli_title">what's your username?</p> 69 <form method="get"> 70 <input class="sqli_in" type="text" name="name" /> 71 <input class="sqli_submit" type="submit" name="submit" value="查询" /> 72 </form> 73 <?php echo $html;?> 74 </div> 75 76 77 78 79 </div><!-- /.page-content --> 80 </div> 81 </div><!-- /.main-content --> 82 83 84 85 86 87 <?php 88 include_once $PIKA_ROOT_DIR . 'footer.php'; 89 90 ?>
首先看看没有加固前的效果
' or '1'='1' --+
下面进行加固
1 <?php 2 /** 3 * Created by runner.han 4 * There is nothing new under the sun 5 */ 6 7 8 $SELF_PAGE = substr($_SERVER['PHP_SELF'],strrpos($_SERVER['PHP_SELF'],'/')+1); 9 10 if ($SELF_PAGE = "sqli_str.php"){ 11 $ACTIVE = array('','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','active open','','','active','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','','',''); 12 } 13 14 $PIKA_ROOT_DIR = "../../"; 15 include_once $PIKA_ROOT_DIR . 'header.php'; 16 17 include_once $PIKA_ROOT_DIR."inc/config.inc.php"; 18 include_once $PIKA_ROOT_DIR."inc/function.php"; 19 include_once $PIKA_ROOT_DIR."inc/mysql.inc.php"; 20 21 $link=connect(); 22 $html=''; 23 24 if(isset($_GET['submit']) && $_GET['name']!=null){ 25 //这里没有做任何处理,直接拼到select里面去了 26 27 $name=addslashes($_GET['name']); 28 29 //这里的变量是字符型,需要考虑闭合 30 $query="select id,email from member where username='$name'"; 31 $result=execute($link, $query); 32 if(mysqli_num_rows($result)>=1){ 33 while($data=mysqli_fetch_assoc($result)){ 34 $id=$data['id']; 35 $email=$data['email']; 36 $html.="<p class='notice'>your uid:{$id} <br />your email is: {$email}</p>"; 37 } 38 }else{ 39 40 $html.="<p class='notice'>您输入的username不存在,请重新输入!</p>"; 41 } 42 } 43 44 45 46 ?> 47 48 49 <div class="main-content"> 50 <div class="main-content-inner"> 51 <div class="breadcrumbs ace-save-state" id="breadcrumbs"> 52 <ul class="breadcrumb"> 53 <li> 54 <i class="ace-icon fa fa-home home-icon"></i> 55 <a href="sqli.php">sqli</a> 56 </li> 57 <li class="active">字符型注入</li> 58 </ul><!-- /.breadcrumb --> 59 60 <a href="#" style="float:right" data-container="body" data-toggle="popover" data-placement="bottom" title="tips(再点一下关闭)" 61 data-content="变量类型为字符型"> 62 点一下提示~ 63 </a> 64 65 </div> 66 <div class="page-content"> 67 68 69 <div id="sqli_main"> 70 <p class="sqli_title">what's your username?</p> 71 <form method="get"> 72 <input class="sqli_in" type="text" name="name" /> 73 <input class="sqli_submit" type="submit" name="submit" value="查询" /> 74 </form> 75 <?php echo $html;?> 76 </div> 77 78 79 80 81 </div><!-- /.page-content --> 82 </div> 83 </div><!-- /.main-content --> 84 85 86 87 88 89 <?php 90 include_once $PIKA_ROOT_DIR . 'footer.php'; 91 92 ?>
在27行修改成如下代码$name=addslashes($_GET['name']);防止sql注入
当然方法有很多比如正则表达式等等
下面再用同样的方法看看sql注入是否存在
可以发现sql注入已经不存在了
下面详细看看这个函数的作用
PHP addslashes() 函数
实例
在每个双引号(")前添加反斜杠:
<?php
$str = addslashes('Shanghai is the "biggest" city in China.');
echo($str);
?>
运行结果Shanghai is the \"biggest\" city in China.
发现对双引号之类的东西做了过滤
定义和用法
addslashes() 函数返回在预定义字符之前添加反斜杠的字符串。
预定义字符是:
- 单引号(')
- 双引号(")
- 反斜杠(\)
- NULL
提示:该函数可用于为存储在数据库中的字符串以及数据库查询语句准备字符串。
注释:默认地,PHP 对所有的 GET、POST 和 COOKIE 数据自动运行 addslashes()。所以您不应对已转义过的字符串使用 addslashes(),因为这样会导致双层转义。遇到这种情况时可以使用函数 get_magic_quotes_gpc() 进行检测。
语法
addslashes(string)
| 参数 | 描述 |
|---|---|
| string | 必需。规定要转义的字符串。 |
例子 1
向字符串中的预定义字符添加反斜杠:
<?php
$str = "Who's Bill Gates?";
echo $str . " This is not safe in a database query.<br>";
echo addslashes($str) . " This is safe in a database query.";
?>
运行结果
Who's Bill Gates? This is not safe in a database query.
Who\'s Bill Gates? This is safe in a database query.
