php - PHP-Blind SQL injection in "x-forwarded-for" header

Question

Today i checked my script with acunetix and found a "Blind SQL injection" in one of my files.

Accunetix Message:

Attack details

HTTP Header input x-forwarded-for was set to 1' and sleep(2)='

How to fix this vulnerability:

Your script should filter metacharacters from user input. Check detailed information for more information about fixing this vulnerability.

I have escaped all input with mysql_real_escape_string() func, but error existing yet.

I tried to filter this header in my file with this code:

if(isset($_SERVER['HTTP_X_FORWARDED_FOR']))
    mysql_real_escape_string(addslashes(($_SERVER['HTTP_X_FORWARDED_FOR'])));

But doesn't work. please help!

Answer 1

最好使用 PDO 准备语句来防止 SQL 注入，而不是尝试创建自己的“脚本”并且仅转义字符不足以防止 SQL 注入

在这里查看 PDO 准备好的声明： http: //php.net/manual/en/pdo.prepared-statements.php

Answer 2

您的应用程序很可能利用某种有缺陷的功能“确定访问者的 IP 地址”。

撇开HTTP_X_FORWARDED_FOR为此目的使用是错误的事实，很可能它解释了为什么您的尴尬转义不起作用。

在您转义它之前，系统似乎在某个变量中获取了一个 IP 地址。然后这个变量进入查询，而你正在逃避无害的 XFF。

这里是真正的解释，为什么你应该使用准备好的语句：因为它们格式化了完全正确的值，就在它应该在的地方。过早的逃跑使人无法滑倒。