SQL Injection: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
Zeile 21: Zeile 21:
 
==Unsicher==
 
==Unsicher==
 
<pre>
 
<pre>
<?php
+
     $search = $_POST['search'];
error_reporting(E_ERROR | E_PARSE);
 
  if(isset($_POST['submit'])){
 
    define('DB_SERVER', 'db');
 
    define('DB_USERNAME', 'xinux');
 
    define('DB_PASSWORD', 'suxer');
 
    define('DB_NAME', 'sql_injections');
 
    $link = mysqli_connect(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_NAME);
 
    mysqli_set_charset($link, "utf8");
 
    if($link === false){
 
      echo(mysqli_connect_error());
 
      die("ERROR: Could not connect. " . mysqli_connect_error());
 
    }
 
    include "inc/connect.php";
 
     $search = mysqli_real_escape_string($link, $_POST['search']);
 
 
     $sql = "SELECT * FROM users WHERE username='$search'";
 
     $sql = "SELECT * FROM users WHERE username='$search'";
 
     $result = mysqli_query($link, $sql);
 
     $result = mysqli_query($link, $sql);
  }
+
</pre>
?>
+
==Sicher==
<!DOCTYPE html>
+
<pre>
<html>
+
  $search = mysqli_real_escape_string($link, $_POST['search']);
 +
  $sql = "SELECT * FROM users WHERE username='$search'";
 +
  $result = mysqli_query($link, $sql);
 
</pre>
 
</pre>
  

Version vom 15. Juni 2021, 18:36 Uhr

Vorüberlegung

Verhaltensweise einer SQL Abfrage

Normale Abfrage
  • MariaDB [sql_injections]> select * from users where username = 'rudi.burkart';
+------+--------------+----------+
| id   | username     | password |
+------+--------------+----------+
|    2 | rudi.burkart | secret   |
+------+--------------+----------+
1 row in set (0.000 sec)
Oder Verknüpfung
  • MariaDB [sql_injections]> select * from users where username = 'rudi.burkart' or username = 'hans.will';
+------+--------------+----------+
| id   | username     | password |
+------+--------------+----------+
|    2 | rudi.burkart | secret   |
|    1 | hans.will    | geheim   |
+------+--------------+----------+
2 rows in set (0.000 sec)

PHP Code

Unsicher

    $search = $_POST['search'];
    $sql = "SELECT * FROM users WHERE username='$search'";
    $result = mysqli_query($link, $sql);

Sicher

  $search = mysqli_real_escape_string($link, $_POST['search']);
  $sql = "SELECT * FROM users WHERE username='$search'";
  $result = mysqli_query($link, $sql);


Sql-injection-1.png

Abgerufen von „http://wiki.ixheim.de/index.php?title=SQL_Injection&oldid=24139