-1

Possible Duplicate:
MySQL Injection - Use SELECT query to UPDATE/DELETE

So I have found in my site bug that allows to perform sql injection http://mysite.com/script.php?id=1 union select 1,2,3 will output all fields that has Id property equal to one plus one additional row with 1,2,3. I know that I have to validate user input to close my bug.

However my question is quite another. Is it possible to perform update query or insert query? I am able to comment query using --, however I cannot use multiple statements that are delimited by ;. So is it possible to perform update query in my case. I can show PHP code and SQL query if needed.

$sql    = "SELECT id, title, text from table where cId=$val";
$result = mysql_query($sql);
$array  = mysql_fetch_array($result);
//echo rows in table
4

3 回答 3

3

MySQL 注入来看 - 使用 SELECT 查询来更新/删除 所有保护你的是 mysql_query 的限制。我不会依赖这一点,尤其是不会随着时间的推移保持这种状态。您永远不应依赖默认禁用的功能。也许下一个版本已经允许诸如。

SELECT id, title, text from table where cId=1; DROP table table
于 2013-01-01T18:59:21.097 回答
0

不,这是不可能的。很可能您正在运行mysql_query,这不允许一次运行多个查询。因此,如果您的查询以 SELECT 开头(因为它确实如此),它将不允许任何 UPDATE 注入

编辑: 即使在你的输入上使用mysql_real_escape_string

于 2013-01-01T18:45:39.847 回答
0

默认情况下,这应该是不可能的。尽管mysql_query从 MySQL 5.0 开始有在一个字符串中运行多个语句的选项,但您必须使用mysql_set_server_option.

请考虑像这样更改您的语句命令以使用mysql_real_escape_string

$q = mysql_fetch_array(mysql_query("SELECT id, title, text from table where cId = " . mysql_real_escape_string($val)));

最好将代码更改为使用PDO,因为所有 mysql_* 函数都已正式弃用。

于 2013-01-01T18:54:28.227 回答