???PHP??SQL??????????????????????
???????????? ???????[ 2014/1/15 10:20:26 ] ????????SQL PHP ???? ??????
????SQL??????SQL injection????????SQL?????????????????????????????????ó???????????????????????????????????????????????SQL??????????????????к??????飬?????Щ??????????????????????????????????SQL???????У???????????
?????в????????SQL???????????Microsoft SQL Server?????????????????????SQL???????????????????п????????????????????
???????
????????ó?????????????????????????ó??????????SQL Injection??????????£?
????????ó?????????????????????SQL??
????????ó??????????????????????????????????????????????sa????????????????????????????Microsoft SQL Server???????
????????????п?????????????????????????????Microsoft SQL Server??????е?xp_cmdshell?????????????OLE Automation????????
????????????????????????????δ???????????????????δ????????????????????????顣
???????????
????SQL????????????????????????????????????????????????????????????????????????SubQuery??????????????????????……??????????
????SQL??????????????????????????????????????????????????2???????????????SQL??????У????????????е???????????????
????SQL?????У???????????????2????????? -- ?????????????“/*”??“*/”??????????????????
????????????????SQL??????????????δ?????????????????????????????????????????????????????????????????????SQL???????á?
?????????????????????@
??????????????й?SQL????????????????飬???????????????????????????2?????????????????????????????????????????
????SQL ?????????????????????????????
????1. php ??????? php.ini ?е? magic_quotes_gpc?????д???????? off??
????2. ????????ж???????????м?????塣
???????????????????????????????? ????????????????????м?飬?? MYSQL ?????????????????????????? web ??????????????????????У??????????С????? Web ???????????????????o??????
???????????????????????????е?????????magic_quotes_gpc ???????? on??????? off?????п??????? SQL ?????????????????????????
??????? magic_quotes_gpc= Off ????????
????magic_quotes_gpc = Off ?? php ?????????????????°汾?? php ??????????????? On???????????????????????? off?????????????????????????????
??????magic_quotes_gpc = On?????????????????????е? '(??????)??"(????)??(??б??)?????????????????????????? ???????? PHP?????????
????magic_quotes_gpc boolean
????Sets the magic_quotes state for GPC (Get/Post/Cookie) operations. When magic_quotes are on?? all ' (single-quote)?? " (double quote)?? (backslash) and NUL's are escaped with a backslash automatically
????????????壬?? off ????£????ù??????л??????????в??????????
<?
if (isset($_POST["f_login"])) {
// ?????????...
// ...??????...
// ????????????
$t_strUname = $_POST["f_uname"];
$t_strPwd = $_POST["f_pwd"];
$t_strSQL = "SELECT * FROM tbl_users WHERE username='$t_strUname' AND password = '$t_strPwd' LIMIT 0??1";
if ($t_hRes = mysql_query($t_strSQL)) {
// ?????????????. ??...
}
}
?>
<html><head><title>test</title></head>
<body>
<form method="post" action="">
Username: <input type="text" name="f_uname" size=30><br>
Password: <input type=text name="f_pwd" size=30><br>
<input type="submit" name="f_login" value="???">
</form>
</body>
??????
???·???
??????????????????
2023/3/23 14:23:39???д?ò??????????
2023/3/22 16:17:39????????????????????Щ??
2022/6/14 16:14:27??????????????????????????
2021/10/18 15:37:44???????????????
2021/9/17 15:19:29???·???????·
2021/9/14 15:42:25?????????????
2021/5/28 17:25:47??????APP??????????
2021/5/8 17:01:11