Discussion on magic_quote_gpc injection attack and prevention after opening magic_quote_gpc
- 2020-05-12 06:22:16
- OfStack
By enabling the relevant options in the php.ini configuration file, you can shut out most hackers who want to exploit the SQL injection vulnerability.
When magic_quote_gpc=on, the functions addslshes() and stripslashes() can be implemented. In PHP4. 0 and older versions, this option is on by default, so in PHP4. 0 and older versions, even PHP procedure parameters of filter, the every PHP system will also be passed by GET, POST, COOKIE variable automatic conversion, in other words, all input code injection attack will be converted and will bring great difficulties to the attacker.
Still, there is an opportunity for an attacker to launch an SQL injection attack... The premise is that when the parameter is of type number, it is not processed by the Intval() function, because all the data will be cast to a number after it is processed by intval().
As mentioned earlier, turning magic_quote_gpc=on is equivalent to using the function addslshes(). However, numeric types do not use single quotes, so of course the addslshes() function is bypassed. Using MySQL's built-in char() function or HEX(), char() can interpret arguments as integers and return a string of ASCII code characters for those integers, using base 106 to indicate that 0x must be appended to the number.
Example demonstration:
Let's say we know the administrator's user name is admin, and we don't know the password. magic_quote_gpc has been enabled.
SQL statement: $sql="select * from users where username=$name and password='$pwd'"; Note: the variable $name is not quoted
At this point, enter username=admin%23 in the address bar, then the synthesized sql statement is:
select * from users where username='admin\' #' and password=';
At this point, the single quotation mark (') entered through the url address bar will be backslash and the sql statement will be invalid.
admin converted to ASCII is char(97,100,109,105,110)
Enter username=char(97,100,109,105,110)%23 in the address bar
The SQL statement becomes:
select * from users where username=char(97,100,109,105,110)#' and password=';
If the execution result is true, you can enter the background smoothly.
For a digital injection attack, you must use intval() to cast any digital parameters into a number before they are put into the database, thus eliminating the digital injection vulnerability.
Such as: $id = intval ($_GET [' id ']);
select * from articles where id='$id';
Enter: id=5' or 1=1%23 in the address bar
The SQL statement will be: select * from articles where id='5';
Instead of select * from articles where id='5' or 1=1#;
Conclusion:
Remember to use single quotes for each variable, where username='$name',
Turning on magic_quote_gpc is not absolutely secure. For digital injection attacks, it is not enough to use the addslashes() function for conversion, but to use intval() to force the conversion of parameters to Numbers
How to prevent SQL injection attacks
Method 1: password comparison
Idea: first, query the database with the user name entered by the user, get the password corresponding to the user name in the database, and then compare the password found in the database with the password submitted by the user.
Code:
Analysis: in this case, the code is much more robust, preventing an SQL injection attack even if magic_quote_gpc=Off. Because the attacker wants to successfully log in, he has to bypass two barriers. The first is that the user name he entered must exist. This step can construct an SQL statement (' or 1=1%23) to bypass directly, but it cannot pass the second barrier. Obviously, this has rejected the SQL injection attack because it requires the user to enter a correct password to get through.
Method 2: PDO::prepare() preprocessing is used to prevent SQL injection attacks using PDO's PDO::prepare() preprocessing
Idea: create an pdo object. The preprocessing operation of pdo can prevent the injection attack of SQL
Code:
When magic_quote_gpc=on, the functions addslshes() and stripslashes() can be implemented. In PHP4. 0 and older versions, this option is on by default, so in PHP4. 0 and older versions, even PHP procedure parameters of filter, the every PHP system will also be passed by GET, POST, COOKIE variable automatic conversion, in other words, all input code injection attack will be converted and will bring great difficulties to the attacker.
Still, there is an opportunity for an attacker to launch an SQL injection attack... The premise is that when the parameter is of type number, it is not processed by the Intval() function, because all the data will be cast to a number after it is processed by intval().
As mentioned earlier, turning magic_quote_gpc=on is equivalent to using the function addslshes(). However, numeric types do not use single quotes, so of course the addslshes() function is bypassed. Using MySQL's built-in char() function or HEX(), char() can interpret arguments as integers and return a string of ASCII code characters for those integers, using base 106 to indicate that 0x must be appended to the number.
Example demonstration:
Let's say we know the administrator's user name is admin, and we don't know the password. magic_quote_gpc has been enabled.
SQL statement: $sql="select * from users where username=$name and password='$pwd'"; Note: the variable $name is not quoted
At this point, enter username=admin%23 in the address bar, then the synthesized sql statement is:
select * from users where username='admin\' #' and password=';
At this point, the single quotation mark (') entered through the url address bar will be backslash and the sql statement will be invalid.
admin converted to ASCII is char(97,100,109,105,110)
Enter username=char(97,100,109,105,110)%23 in the address bar
The SQL statement becomes:
select * from users where username=char(97,100,109,105,110)#' and password=';
If the execution result is true, you can enter the background smoothly.
For a digital injection attack, you must use intval() to cast any digital parameters into a number before they are put into the database, thus eliminating the digital injection vulnerability.
Such as: $id = intval ($_GET [' id ']);
select * from articles where id='$id';
Enter: id=5' or 1=1%23 in the address bar
The SQL statement will be: select * from articles where id='5';
Instead of select * from articles where id='5' or 1=1#;
Conclusion:
Remember to use single quotes for each variable, where username='$name',
Turning on magic_quote_gpc is not absolutely secure. For digital injection attacks, it is not enough to use the addslashes() function for conversion, but to use intval() to force the conversion of parameters to Numbers
How to prevent SQL injection attacks
Method 1: password comparison
Idea: first, query the database with the user name entered by the user, get the password corresponding to the user name in the database, and then compare the password found in the database with the password submitted by the user.
Code:
$sql="select password from users where username='$name'";
$res=mysql_query($sql,$conn);
if ($arr=mysql_fetch_assoc($res)){// If the username exists
if ($arr['password']==$pwd) {// Passwords than
echo " Login successful ";
}else{
echo " Incorrect password entry ";
}
}else {
echo " This username does not exist ";
}
Analysis: in this case, the code is much more robust, preventing an SQL injection attack even if magic_quote_gpc=Off. Because the attacker wants to successfully log in, he has to bypass two barriers. The first is that the user name he entered must exist. This step can construct an SQL statement (' or 1=1%23) to bypass directly, but it cannot pass the second barrier. Obviously, this has rejected the SQL injection attack because it requires the user to enter a correct password to get through.
Method 2: PDO::prepare() preprocessing is used to prevent SQL injection attacks using PDO's PDO::prepare() preprocessing
Idea: create an pdo object. The preprocessing operation of pdo can prevent the injection attack of SQL
Code:
$name=$_GET['username'];
$pwd=$_GET['password'];
$sql="select * from users where username=? and password=?";
//1. create 1 a pdo object
$pdo=new PDO("mysql:host=localhost;port=3306;dbname=injection","root","");
//2. Set the coding
$pdo->exec("set names 'utf8'");
//3. pretreatment $sql statements
$pdoStatement=$pdo->prepare($sql);
//4. Fill in the received username and password
$pdoStatement->execute(array($name,$pwd));
//5. Take out the results
$res=$pdoStatement->fetch();
if(empty($res)){
echo " Incorrect user name or password ";
}else{
echo " Login successful ";
}