2天前,一名黑客进入了管理员帐户。他告诉我们,login.php
是脆弱的。
但是当我转义输入时,我找不到如何
:$salt = '78sdjs86d2h';
$username = mysqli_real_escape_string($DB_H, addslashes($_POST['username']));
$password = mysqli_real_escape_string($DB_H, addslashes($_POST['password']));
$hash1 = hash('sha256', $password . $salt);
$hash = strtoupper($hash1);
$check = mysqli_query($DB_H, "SELECT * FROM players WHERE Name='$username' && Password = '$hash'");
if(mysqli_num_rows($check) != 0)
除非你使用一些特殊的编码,否则你发布的代码虽然意义不大,但对SQL注入是无懈可击的。它宁愿不让诚实的用户登录,但是没有办法通过SQL注入来破解它。
该漏洞属于另一种类型,例如XSS。
最好使用 prepare 语句来避免 sql 注入。例如
$check = mysqli_query($DB_H, "SELECT * FROM players WHERE Name='$username' && Password = '$hash'")
像这样使用它
$check = $DB_H->prepare("SELECT * FROM players WHERE Name=? && Password = ?")
$check->bind_param('ss',$username,$hash);
$check->execute();
用这个测试:
$sHost = 'localhost';
$sDb = 'test';
$sUser = 'user';
$sPassword = 'password';
$oDb = new PDO("mysql:host={$sHost};dbname={$sDb}", $sUser, $sPassword);
$salt = '78sdjs86d2h';
$username = $_POST['username'];
$password = $_POST['password'];
$hash1 = hash('sha256', $password . $salt);
$hash = strtoupper($hash1);
$sSql = 'SELECT * FROM players WHERE Name = :username AND Password = :password';
$oStmt = $oDb->prepare($sSql);
$oStmt->bindParam(':username', $username, PDO::PARAM_STR);
$oStmt->bindParam(':password', $hash, PDO::PARAM_STR);
if($oStmt->execute()){
$oRow = $oStmt->fetch(PDO::FETCH_OBJ);
if(false === $oRow){
echo 'User or password not valid';
} else {
echo 'Uer and password valid!!!';
}
} else {
echo 'Error';
}
代替这些mysqli
函数使用 PDO 语句。这是参考PHP PDO 文档