Why mysql_real_escape_string() did not prevent hack?

十年热恋 提交于 2019-12-11 18:24:14

问题


I've a website that hacked today. Server logs returned something like this as hacker's tries:

www.site.com/notifications.php?PID=7&id=999999.9%20union%20all%20select%20%28select%20distinct%20concat%280x7e%2C0x27%2Cunhex%28Hex%28cast%28schema_name%20as%20char%29%29%29%2C0x27%2C0x7e%29%20from%20%60information_schema%60.schemata%20limit%201%2C1%29%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536--

But I've used mysql_real_escape_string() in my code:

if (isset($_GET['id']) && $_GET['id'] != '') {
   $id = mysql_real_escape_string($_GET['id']); 
} else {
   $id = '';
}

if ($id == '') {
   $stmt = "SELECT * FROM tbln13 ORDER BY id DESC"; 
} else {
   $stmt = "SELECT * FROM tbln13 WHERE id = $id";
}

$NewsResult = mysql_query($stmt) or die (mysql_error());

Why my website could not prevent this attack?


回答1:


Because escape_string add slashes and such to quotes. You didn't have any quotes in your query, or the string they submitted.

Your query doesn't have a STRING in it, it appears to expect an int. If you expected an integer, you should have verified it was an int, or forced it to an int, before using it in a query. Escaping a value as a string, then using it as an int, won't work.

Switch to prepared statements in MySQLi or PDO.




回答2:


The sql injected query looks like this

SELECT * FROM tbln13 WHERE id = 999999.9 
union all select 
 (select distinct concat(0x7e,0x27,unhex(Hex(cast(schema_name as char))),0x27,0x7e) 
  from `information_schema`.schemata 
  limit 1,1), 
 0x31303235343830303536, 0x31303235343830303536, 0x31303235343830303536--

as you see, you were injected because you have just allowed this!

You expected a number but you didn't check for it! So you got the number and something more.

You should have checked the $id variable for what you expected, which is the number. This is what I would use:

if (!preg_match('/^\d+$/', $id))
    die("ERROR: invalid id"); // error, don't continue



回答3:


Use prepared statements, that will, in most cases, prevent SQL injections.

A simple and comprehensible guide to prepared statements can be found in this website:

Bobby Tables

More over you should stop using MYSQL, it's outdated and will be removed in future implementations. Use MySQLi or PDO instead.




回答4:


Because your escaped variable is not a string therefore it is not inside quotes in your query. If you want a quick fix you can change your query to:

$stmt = "SELECT * FROM tbln13 WHERE id = '$id'";

It is not standard use for numeric comparison but should work.




回答5:


As mentioned by others, you should ditch deprecated mysql_* functions and instead used prepared statements via mysqli or PDO.

Even then you should also be validating your input, because just using prepared statements will not help you identify whether you have input values that are valid. You would ideally make sure all your input is valid before even attempting a prepared statement. In this case, this validation could be as simple as this:

$id = filter_input(INPUT_GET, 'id', FILTER_VALIDATE_INT);
if (false === $id) {
   // you do not have a valid integer value passed. Do something.
} else {
   // continue with your prepared statement
}


来源:https://stackoverflow.com/questions/20806625/why-mysql-real-escape-string-did-not-prevent-hack

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!