Of Stack

URL Special Character Processing and SQL Injection Hidden Trouble Analysis in CI (CodeIgniter) Framework

  • 2021-11-29 23:13:51
  • OfStack

This paper analyzes the hidden trouble of URL special character processing and SQL injection in CI (CodeIgniter) framework. Share it for your reference, as follows:

php CI frame URL special characters are not supported, resulting in common classification like c + +, brackets, characters can not be displayed normally very headache, and adding single quotation marks' backslash\ in the configuration is easy to inject sql special characters

Add the: += () special character to the default config configuration 


#$config['permitted_uri_chars'] = 'a-z 0-9~%.:_\-';
$config['permitted_uri_chars'] ='a-z 0-9~%.:_\-\+=()';

In the CI framework, it is reliable to use AR class for database query as much as possible, because it will help users to escape once effectively at the bottom, but it is only an escape.

The filtering method is escape_str() : 


function escape_str($str, $like = FALSE)
{
  var_dump($str);
  echo "\n" ;
  if (is_array($str))
  {
    foreach ($str as $key => $val)
    {
      $str[$key] = escape_str($val, $like);
    }
    return $str;
  }
  if (function_exists('mysql_real_escape_string'))
  {
    $str = addslashes($str);
  }
  elseif (function_exists('mysql_escape_string'))
  {
    $str = mysql_escape_string($str);
  }
  else
  {
    $str = addslashes($str);
  }
  // escape LIKE condition wildcards
  if ($like === TRUE)
  {
    $str = str_replace(array('%', '_'), array('\\%', '\\_'), $str);
  }
  return $str;
}

This method only calls 1 escape function and filters like parameters.

If the queried variable is not wrapped in single quotation marks, it cannot be protected

The default filter function for the ci framework is escape: 


xx". $this->db->escape ( $xxx )."xx

Because of the array's $key It is not uncommon for lax filtering to directly bring loopholes into SQL queries: 


$arr = array(
  'name'=>"2' and 1=2",
  "hello'"=>"2");
);

Output:

Array(
[name] = > 2\' and 1=2
[hello' union select ] = > 2
)

If the real sql statement passes in the above two parameters and combines them, all the information can be queried, which belongs to sql injection

More readers interested in CodeIgniter can check the topics on this site: "Introduction to codeigniter", "Advanced Course of CI (CodeIgniter) Framework", "Summary of php Excellent Development Framework", "Introduction to ThinkPHP", "Summary of Common Methods of ThinkPHP", "Introduction to Zend FrameWork Framework", "Introduction to php Object-Oriented Programming", "Introduction to php+mysql Database Operation" and "Summary of Common Database Operation Skills of php"

I hope this article is helpful to the PHP programming based on CodeIgniter framework.

Related articles: