我如何制作这个PHP脚本SQL注入证明？

Question

   <?php
 
$conn = mysql_connect("localhost", "root", "") or die ('Error connecting to MySQL!');
mysql_select_db("aspire");
 
$earnedpoints = false;
$account = $_POST['name'];
$account = mysql_real_escape_string($account);
 
if ($account == "") {
    echo 'Enter an account name!';
    exit();
}
 
$ip = $_SERVER['REMOTE_ADDR'];
$time = time();
 
$query = mysql_query("SELECT *, SUM(`times`) as amount FROM votingrecords WHERE account='$account' OR ip='$ip'");
$lasttime = mysql_fetch_array($query);
$amount = $lasttime['amount'];
$insertnew = false;    
if ($amount == "") {
    $insertnew = true;
}
$timecalc = $time - $lasttime['date'];
if (!$insertnew) {
    if ($timecalc < 21600) {  
        echo ' Hello '. $account .' you have already voted with this account ('. $account .') or IP ('. $ip .') in the last 6 hours!';
        echo ' Last voted on: '. date('M d\, h:i:s A', $lasttime['date']) .'';
        echo '<html>';
        echo '<head>';
        echo '<meta HTTP-EQUIV="REFRESH" content="10; url=/">';
        echo '</head>';
        echo '<body>';
        echo '<br><br>You will be redirected to the main website in 10 seconds.';
        echo '</body>';
        echo '</html>';
        exit();
    } else {                
        $update = mysql_query("UPDATE votingrecords SET account='$account', date='$time', times=times+1 WHERE ip='$ip'");
            if (!$update) {
                $message  = 'Invalid query: ' . mysql_error() . "\n";
                $message .= 'Whole query: ' . $update;
                die($message);
            } else {
                $earnedpoints = true;
            }
        }
} else {
    $success = mysql_query("INSERT INTO votingrecords (`account`, `ip`, `date`, `times`) VALUES ('$account', '$ip', '$time', 1)");
    if (!$success) {
            $message  = 'Invalid query: ' . mysql_error() . "\n";
            $message .= 'Whole query: ' . $success;
            die($message);
    } else {
        $earnedpoints = true;
    }
}
 
 
 
 
if ($earnedpoints) {
    $points = mysql_query("UPDATE accounts SET votepoints = votepoints + 2 WHERE name='$account'");                
    if (!$points) {
 
            $message  = 'Invalid query: ' . mysql_error() . "\n";
            $message .= 'Whole query: ' . $query;
            die($message);
    }
    mysql_close($conn);
    echo '<html>';
    echo '<head>';
    echo '<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.gtop100.com/in.php?site=80994">';
    echo '</head>';
    echo '</html>';
} else {
    echo 'There was an error processing your request.';
    exit();
}
?>

嘿大家，

我对PHP脚本非常缺乏经验而且我被告知我的脚本容易受到SQL注入攻击？但我不确定如何将它作为SQL注入证明，因为我在那个领域没有多少经验，我担心我可能会搞砸代码。

有人可以帮我吗？我将不胜感激。

Answer 1

How can I prevent SQL injection in PHP?

您的代码实际上是在逃避输入值，但在PHP 5.5中不推荐使用mysql_connect，在PHP 7中完全删除了。 使用参数查询是您的最佳选择：

您需要先打开连接，而不是

$conn = mysql_connect("localhost", "root", "") or die ('Error connecting to MySQL!'); mysql_select_db("aspire");

您将打开这样的连接

$mysqli = new mysqli("localhost", "root", "", "aspire");

然后准备您的查询，而不是像这样放置查询

$query = mysql_query("SELECT *, SUM(`times`) as amount FROM votingrecords WHERE account='$account' OR ip='$ip'");

你会这样说的

$stmt = $mysqli->prepare("SELECT *, SUM(`times`) as amount FROM votingrecords WHERE account='?' OR ip='?'");

这是一个准备好的声明，不是你会把你的查询输入，它是PHP将为你做，你需要做的就是将你的查询输入与$stmt绑定此

$stmt->bind_param("s", $account);
$stmt->bind_param("s", $ip);

你有两个输入是$account和$ip，帐号和ip都是字符串，恰好是s代表的......你现在将执行语句，就像这样

$stmt->execute();

不要忘记关闭你打开的连接

$stmt->close();

Answer 2

看到这个链接 http://php.net/manual/en/pdo.prepared-statements.php

使用预备语句和存储过程