SQL Injection with MySQL£¨×ª£©

SQL Injection with MySQL
±¾ÎÄ×÷Õߣºangel
ÎÄÕÂÐÔÖÊ£ºÔ­´´
·¢²¼ÈÕÆÚ£º2004-09-16
±¾ÎÄÒѾ­·¢±íÔÚ¡¶ºÚ¿Í·ÀÏß¡·7Ô¿¯£¬×ªÔØÇë×¢Ã÷¡£ÓÉÓÚдÁ˺ܾã¬Ëæ׿¼ÊõµÄ½ø²½£¬±¾ÈËÒ²·¢ÏÖ¸ÃÎÄÀïÓв»ÉÙ´íÎóºÍÂÞàµĵط½¡£Çë¸÷λ¸ßÊÖ¿´Á˲»ÒªÐ¦¡£±¾ÎÄдÓÚ¡¶Advanced SQL Injection with MySQL¡·Ö®Ç°Ò»¸öÔ¡£
ÉùÃ÷
¡¡¡¡±¾ÎĽöÓÃÓÚ½ÌѧĿµÄ£¬Èç¹ûÒòΪ±¾ÎÄÔì³ÉµÄ¹¥»÷ºó¹û±¾È˸Ų»¸ºÔ𣬱¾ÎÄËùÓдúÂë¾ùΪ±¾ÈËËùд£¬ËùÓÐÊý¾Ý¾ù¾­¹ý²âÊÔ¡£¾ø¶ÔÕæʵ¡£Èç¹ûÓÐʲôÒÅ©»ò´íÎ󣬻¶Ó­À´°²È«ÌìʹÂÛ̳£¨http://www.4ngel.net/forums£©ºÍÎÒ½»Á÷¡£
Ç°ÑÔ
¡¡¡¡2003Ä꿪ʼ£¬Ï²»¶½Å±¾¹¥»÷µÄÈËÔ½À´Ô½¶à£¬¶øÇÒÑо¿ASPÏÂ×¢ÈëµÄÅóÓÑÒ²Ö𽥶àÁËÆðÀ´£¬ÎÒ¿´¹ý×îÔçµÄ¹ØÓÚSQL×¢ÈëµÄÎÄÕÂÊÇһƪ99Äê¹úÍâµÄ¸ßÊÖдµÄ£¬¶øÏÖÔÚ¹úÍâµÄÒѾ­Â¯»ð´¿ÇàÁË£¬¹úÄڲſªÊ¼×¢ÒâÕâ¸ö¼¼Êõ£¬ÓÉ´Ë¿´À´£¬¹úÄÚµÄÕâ·½ÃæµÄ¼¼ÊõÏà¶ÔÓÚ¹úÍ⻹ÊÇÓÐÒ»¶ÎºÜ´ó²î¾à£¬»°Ëµ»ØÀ´£¬´ó¼Ò¶ÔSQL×¢Èë¹¥»÷Ò²Ï൱ÊìϤÁË£¬¹úÄÚ¸÷´óÕ¾µã¶¼ÓÐЩ¿°³Æ¾­µäµÄ×÷Æ·£¬²»¹ý×÷ΪһƪÍêÕûµÄÎÄÕ£¬ÎÒ¾õµÃ»¹ÊÇÓбØÒªÔÙ˵˵Æ䶨ÒåºÍÔ­Àí¡£Èç¹ûÄÄλ¸ßÊÖÒѾ­´ïµ½Â¯»ð´¿ÇàµÄµØ²½£¬²»·Á¸ø±¾ÎÄÌôµã´Ì¡£È¨µ±Ö¸µãСµÜ¡£
¹ØÓÚphp+MysqlµÄ×¢Èë
¡¡¡¡¹úÄÚÄÜ¿´µ½php+Mysql×¢ÈëµÄÎÄÕ¿ÉÄܱȽÏÉÙ£¬µ«ÊÇÈç¹û¹Ø×¢¸÷ÖÖWEB³ÌÐòµÄ©¶´£¬¾Í¿ÉÒÔ·¢ÏÖ£¬ÆäʵÕâЩ©¶´µÄÎÄÕÂÆäʵ¾ÍÊÇÒ»¸öÀý×Ó¡£²»¹ýÓÉÓÚ¹úÄÚÑо¿PHPµÄÈ˱ÈÑо¿ASPµÄÈËʵÔÚÉÙÌ«¶à£¬ËùÒÔ£¬¿ÉÄÜûÓÐ×¢Ò⣬¿öÇÒPHPµÄ°²È«ÐÔ±ÈASP¸ßºÜ¶à£¬µ¼ÖºܶàÈ˲»Ïë¿çÔ½Õâ¸öÃż÷¡£
¡¡¡¡¾¡¹ÜÈç´Ë£¬ÔÚPHPÕ¾µãÈÕÒæÔö¶àµÄ½ñÌ죬SQL×¢ÈëÈÔÊÇ×îÓÐЧ×îÂé·³µÄÒ»ÖÖ¹¥»÷·½Ê½£¬ÓÐЧÊÇÒòΪÖÁÉÙ70% ÒÔÉϵÄÕ¾µã´æÔÚSQL Injection©¶´£¬°üÀ¨¹úÄڴ󲿷ְ²È«Õ¾µã£¬Âé·³ÊÇÒòΪMYSQL4ÒÔϵİ汾ÊDz»Ö§³Ö×ÓÓï¾äµÄ£¬¶øÇÒµ±php.iniÀïµÄ magic_quotes_gpc ΪOn ʱ¡£Ìá½»µÄ±äÁ¿ÖÐËùÓÐµÄ ' (µ¥ÒýºÅ), " (Ë«ÒýºÅ), \ (·´Ð±Ïß) and ¿Õ×Ö·û»á×Ô¶¯×ªÎªº¬Óз´Ð±ÏßµÄתÒå×Ö·û¡£¸ø×¢Èë´øÀ´²»ÉÙµÄ×è°­¡£
¡¡¡¡ÔçÆÚµÄʱºò£¬¸ù¾Ý³ÌÐòµÄ´úÂ룬Ҫ¹¹Ôì³öûÓÐÒýºÅµÄÓï¾äÐγÉÓÐЧµÄ¹¥»÷£¬»¹ÕæµÄÓеãÀ§ÄÑ£¬ºÃÔÚÏÖÔڵļ¼ÊõÒѾ­¹¹Ôì³ö²»´øÒýºÅµÄÓï¾äÓ¦ÓÃÔÚijЩ³¡ºÏ¡£Ö»ÒªÓо­Ñ飬Æäʵ¹¹ÔìÓÐЧµÄÓï¾äÒ»µãÒ²²»ÄÑ£¬ÉõÖÁ³É¹¦ÂÊÒ²ºÜ¸ß£¬µ«¾ßÌåÇé¿ö¾ßÌå·ÖÎö¡£Ê×ÏÈÒª×ß³öÒ»¸öÎóÇø¡£
×¢£ºÔÚûÓоßÌå˵Ã÷µÄÇé¿öÏ£¬ÎÒÃǼÙÉèmagic_quotes_gpc¾ùΪoff¡£
php+Mysql×¢ÈëµÄÎóÇø
¡¡¡¡ºÜ¶àÈËÈÏΪÔÚPHP+MYSQLÏÂ×¢ÈëÒ»¶¨ÒªÓõ½µ¥ÒýºÅ£¬»òÕßÊÇûÓа취ÏñMSSQLÄÇÑù¿ÉÒÔʹÓÓdeclare