ThinkPHPÖе¥ÒýºÅתÒåµÄÈƹýÒªÁì
thinkphp ÊÇÒ»¸öÊ¢ÐÐµÄ php ¿ò¼Ü£¬ÎÒÃÇÔÚ¿ª·¢Àú³ÌÖо³£ÐèÒª¶ÔÊý¾Ý¿âÖеÄÊý¾Ý¾ÙÐвÙ×÷£¬¶ø sql ×¢ÈëÊÇÒ»ÖÖ³£¼ûµÄÇå¾²Íþв¡£ÎªÁ˱ÜÃâ sql ×¢Èë¹¥»÷£¬ÎÒÃÇÐèÒª¶ÔÌØÊâ×Ö·û¾ÙÐÐתÒå¡£ÔÚʹÓÿò¼Ü×ÔÉíµÄÊý¾Ý²Ù×÷º¯Êýʱ£¬¿ò¼ÜÒѾ¶ÔÌØÊâ×Ö·û¾ÙÐÐÁËתÒ壬¿ÉÊÇÔÚʹÓÃÔÉú sql ʱ£¬ÐèÒª×ÔÐд¦ÀíתÒå¡£ÕâƪÎÄÕ½«»áÏÈÈÝ thinkphp Öе¥ÒýºÅתÒåµÄÈƹýÒªÁì¡£
ÔÚʹÓÃÔÉú SQL µÄʱ¼ä£¬ÎÒÃÇͨ³£Ê¹Óà PDO Ô¤´¦ÀíÓï¾äÀ´±ÜÃâ SQL ×¢Èë¹¥»÷£¬ÀýÈ磺
$sql = 'SELECT * FROM users WHERE username = :username'; $sth = $dbh->prepare($sql); $sth->bindParam(':username', $username); $sth->execute();
µÇ¼ºó¸´ÖÆ
ÕâÖÖ·½·¨¿ÉÒÔÓÐÓõÄ×èÖ¹ SQL ×¢Èë¹¥»÷£¬ÓÉÓÚ PDO »á×Ô¶¯¶ÔÌØÊâ×Ö·û¾ÙÐÐתÒ壬ͬʱҲÄܹ»Ìá¸ßÅÌÎÊÐÔÄÜ¡£
¿ÉÊÇ£¬ÔÚijЩÇéÐÎÏÂÎÒÃÇÐèҪʹÓÃÔÉú SQL£¬Õâ¾ÍÐèÒªÎÒÃÇ×Ô¼º´¦Àí SQL µÄתÒå¡£ÀýÈ磺
$username = $_GET['username']; $sql = "SELECT * FROM users WHERE username = '".addslashes($username)."'";
µÇ¼ºó¸´ÖÆ
ÕâÖÖ·½·¨Êdz£¼ûµÄ´¦Àí SQL תÒåµÄÒªÁ죬ͨ¹ý addslashes º¯Êý½«ÌØÊâ×Ö·û¾ÙÐÐתÒå¡£¿ÉÊÇÕâÖÖÒªÁì²¢²»Çå¾²£¬ÓÉÓÚÔÚÐí¶àÇéÐÎÏ£¬¿ÉÒÔͨ¹ýÈƹý addslashes º¯ÊýÀ´¾ÙÐÐ SQL ×¢Èë¹¥»÷¡£¼ÙÉèÎÒÃÇʹÓõ¥ÒýºÅ½«ÌØÊâ×Ö·û°ü¹üÆðÀ´£¬ÀýÈ磺
Á¬Ã¦Ñ§Ï°¡°PHPÃâ·ÑѧϰÌõ¼Ç£¨ÉîÈ룩¡±£»
$username = "123' OR '1'='1"; $sql = "SELECT * FROM users WHERE username = '".addslashes($username)."'";
µÇ¼ºó¸´ÖÆ
Õâ¾ä SQL Óï¾äµÄÅÌÎÊЧ¹û½«»á·µ»ØËùÓеÄÓû§ÐÅÏ¢£¬ÓÉÓÚ´Ëʱ SQL Óï¾äµÄÂß¼Äð³ÉÁË£º
SELECT * FROM users WHERE username = '123' OR '1'='1'
µÇ¼ºó¸´ÖÆ µÇ¼ºó¸´ÖÆ
ÓÉÓÚ ‘1’=’1′ ×ÜÊǽ¨É裬ÒÔÊÇÕâÌõ SQL Óï¾äÅÌÎÊЧ¹ûµÄÊÇËùÓеÄÓû§ÐÅÏ¢¡£Õâ¾ÍÊÇ SQL ×¢ÈëµÄÔÀí¡£¿ÉÊÇ£¬ÎÒÃÇ¿ÉÒÔͨ¹ýһЩҪÁìÀ´Èƹýµ¥ÒýºÅתÒ壬ʹµÃ¼´±ãʹÓÃÁË ‘ ¾ÙÐÐ×¢Èë¹¥»÷£¬Ò²²»»á±¬·¢ÈκÎΣº¦¡£
Èƹýµ¥ÒýºÅתÒåµÄÒªÁìÈçÏ£º
ʹÓÃË«ÒýºÅ
Ë«ÒýºÅÔÚ SQL ÖÐÊÇÒ»¸öÕýµ±µÄ×Ö·û£¬Òò´ËÎÒÃÇ¿ÉÒÔʹÓÃË«ÒýºÅÀ´Èƹýµ¥ÒýºÅתÒå¡£ÀýÈ磺
$username = '123" OR "1"="1'; $sql = 'SELECT * FROM users WHERE username = "'.$username.'"';
µÇ¼ºó¸´ÖÆ
ÕâÌõ SQL Óï¾äµÄÅÌÎÊЧ¹û½«»á·µ»ØËùÓеÄÓû§ÐÅÏ¢£¬ÓÉÓÚ´Ëʱ SQL Óï¾äµÄÂß¼Äð³ÉÁË£º
SELECT * FROM users WHERE username = '123" OR "1"="1'
µÇ¼ºó¸´ÖÆ
´Ëʱ£¬Ë«ÒýºÅÖеÄÄÚÈݻᱻµ±×öÒ»¸öÕûÌå¶ø±»Ö´ÐУ¬²»»áÊܵ½µ¥ÒýºÅתÒåµÄÓ°Ïì¡£Òò´ËʹÓÃË«ÒýºÅ¿ÉÒÔÓÐÓÃÈƹýµ¥ÒýºÅתÒ壬¿ÉÊÇÐèҪעÖصÄÊÇ£¬Ê¹ÓÃË«ÒýºÅ¿ÉÄÜ»áÓöµ½×ªÒåµÄÎÊÌ⣬ÀýÈ磺˫ÒýºÅ×Ô¼º¾ÍÐèҪʹÓà ‘\’ ¾ÙÐÐתÒå¡£
ʹÓ÷´Ð±¸Ü
·´Ð±¸Ü ‘\’ ÊÇ SQL ÖеÄתÒå·û£¬ÔÚ SQL ÖÐʹÓ÷´Ð±¸ÜÀ´¶ÔÌØÊâ×Ö·û¾ÙÐÐתÒ壬ÀýÈ磺
$username = '123\' OR \'1\'=\'1'; $sql = 'SELECT * FROM users WHERE username = "'.$username.'"';
µÇ¼ºó¸´ÖÆ
´Ëʱ£¬×ªÒåºóµÄ SQL Óï¾äµÄÂß¼Äð³ÉÁË£º
SELECT * FROM users WHERE username = '123' OR '1'='1'
µÇ¼ºó¸´ÖÆ µÇ¼ºó¸´ÖÆ
ÓÉÓÚ ‘\’ ¿ÉÒÔÔÚ SQL µÄÓï·¨ÖÐÕý֪ʶ±ð£¬ÒÔÊÇʹÓà ‘\’ À´¾ÙÐÐתÒåÊÇ¿ÉÐеġ£¿ÉÊÇ£¬ÐèҪעÖصÄÊÇ£¬ÓÉÓÚ ‘\’ ×Ô¼ºÔÚ PHP ÖÐÒ²ÊÇתÒå·û£¬Òò´ËÔÚ PHP ÖÐÐèҪʹÓÃË«ÖØתÒå·û ‘\\” À´ÌåÏÖ ‘\’¡£
ʹÓà CHR º¯Êý
CHR º¯Êý¿ÉÒÔ½«ÕûÊýת»»³É¶ÔÓ¦µÄ ASCII Âë×Ö·û£¬ÎÒÃÇ¿ÉÒÔʹÓà CHR º¯ÊýÀ´½«µ¥ÒýºÅת»»³É ASCII Â룬´Ó¶øÈƹýµ¥ÒýºÅתÒ壬ÀýÈ磺
$username = '123'.chr(39).' OR 1=1'; $sql = 'SELECT * FROM users WHERE username = "'.$username.'"';
µÇ¼ºó¸´ÖÆ
´Ëʱ£¬×ªÒåºóµÄ SQL Óï¾äµÄÂß¼Äð³ÉÁË£º
SELECT * FROM users WHERE username = '123' OR 1=1
µÇ¼ºó¸´ÖÆ
ÓÉÓÚ chr(39) ¿ÉÒÔ»ñµÃµ¥ÒýºÅµÄ ASCII Â룬ÒÔÊÇʹÓà CHR º¯ÊýÒ²Äܹ»ÓÐÓÃÈƹýµ¥ÒýºÅתÒå¡£
Èƹýµ¥ÒýºÅתÒåÊÇ SQL ×¢Èë¹¥»÷ÖеÄÒ»¸ö³£¼û¼¼ÇÉ£¬ÒªÏë·ÀÓù´ËÀ๥»÷£¬ÐèҪעÖØÔÚʹÓÃÔÉú SQL ʱ£¬Ò»¶¨Òª¶ÔÌØÊâ×Ö·û¾ÙÐÐתÒ壬ͬʱÐèҪעÖØʹÓÃתÒåµÄ·½·¨¡£ÔÚʹÓÿò¼Ü×ÔÉíµÄÊý¾Ý²Ù×÷º¯Êýʱ£¬¿ÉÒÔÓÐÓýµµÍ SQL ×¢Èë¹¥»÷µÄΣº¦¡£
ÒÔÉϾÍÊÇThinkPHPÖе¥ÒýºÅתÒåµÄÈƹýÒªÁìµÄÏêϸÄÚÈÝ£¬¸ü¶àÇë¹Ø×¢±¾ÍøÄÚÆäËüÏà¹ØÎÄÕ£¡