在网页代码中查找sql​​注入漏洞

时间:2013-05-17 20:49:01

标签: php html security code-injection

有人可以帮我识别漏洞并用此解决它们吗?我今天早上发布了这个网站,但它一直被黑客攻击或某些东西,我是新的SQL注入漏洞。有人可以帮我找到它们是什么吗?

    <?php
            //Variables for connecting to your database.
            //These variable values come from your hosting account.
            $hostname = "istheinternet.db.10527209.hostedresource.com";
            $username = "istheinternet";
            $dbname = "istheinternet";

            //These variable values need to be changed by you before deploying
            $password = "**********";
            $usertable = "posts";
            $yourfield1 = "post";
            $yourfield2 = "time";

            //Connecting to your database
            mysql_connect($hostname, $username, $password) OR DIE ("Unable to 
            connect to database! Please try again later.");
            mysql_select_db($dbname);



           // Fetching from your database table.
            $query = "SELECT * FROM $usertable ORDER BY time DESC";
            $result = mysql_query($query);


            ?>
<html>
<meta name="viewport" content="width=device-width"/>
<meta http-equiv="Content-Language" content="English" />
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<link rel="stylesheet" type="text/css" href="style.css">
<head>
<img src="/istheinternetfuckingawesome/images/pageLogo.jpg">
<script type="text/javascript"><!--s
google_ad_client = "ca-pub-8924330365282159";
/* itifa header/footer */
google_ad_slot = "6694391056";
google_ad_width = 728;
google_ad_height = 90;
//-->
</script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>
<script>
  (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
  (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
  m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
  })(window,document,'script','//www.google-analytics.com/analytics.js','ga');

  ga('create', 'UA-40841654-1', 'istheinternetfuckingawesome.com');
  ga('send', 'pageview');

</script>
<meta http-equiv="Content-Script-Type" content="text/javascript">
<script type="text/JavaScript">
function valid(f) {
!(/^[A-z!., &#209;!., &#241;0-9]*$/i).test(f.value)?f.value = f.value.replace(/[^A-z!., &#209;!., &#241;0-9]/ig,''):null;
} 
</script>
</head>
<div class="breadcrumbs">
</div>
<body>
<div>
<h1>What makes your internet awesome?</h1>
<form id="blog_form" action ="thisfile.php"
method ="POST" enctype="multipart/form-data">
<textarea name="post" placeholder="Tell us what makes your internet awesome!" rows="15" cols="50" maxlength="300"  onkeyup="valid(this)" onblur="valid(this)"> </textarea></body></br>
<button type="submit"> Post</button>
<button type="reset"> Clear</button>
</form>
</div>


<span class="column1">
<h2> Stories</h2>

<?php while ($row = mysql_fetch_assoc($result))  
{
    echo $row["$yourfield2"].", ".$row["$yourfield1"]."<br/>\n"."<br/>\n"; 
}
?>
</span>
<span class="column2">
<div>
<center>
<p><Strong>Keep in mind all posts are final unless the website owner finds errors in formatting.</Strong></p
<p><Strong><Strong>Welcome Reddit users</Strong></Strong></p>
<p>Please note that any links and or images will not post sorry to ruin your fun!</p>
</center>
</div>
</span>

<span class="column3">


<script type="text/javascript"><!--
google_ad_client = "ca-pub-8924330365282159";
/* itifa */
google_ad_slot = "3372494652";
google_ad_width = 160;
google_ad_height = 600;
//-->
</script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>
</span>

</body>

<footer>
</footer>
</html>

提交php文件      

            //These variable values need to be changed by you before deploying
            $password = "**********";
            $usertable = "posts";
            $yourfield1 = "time";
            $yourfield2="post";

            //Connecting to your database
            mysql_connect($hostname, $username, $password) OR DIE ("Unable to 
            connect to database! Please try again later.");
            mysql_select_db($dbname);

           $post= trim($_REQUEST['post']);

           // Required field names
           $required = array('post');

           $insert_sql = "INSERT INTO posts (post)" . "Values('{$post}')";

           mysql_query($insert_sql) or die(mysql_error());
           header("Location: http://istheinternetfuckingawesome.com");


?>

1 个答案:

答案 0 :(得分:1)

参见下图,SQL注入几乎总结了,当黑客/或某人将恶意代码输入到您的表单中时,这样代码在PHP执行时会对您的数据库造成不利影响,比如删除/删除/更新你的数据/表..

所以,在图片的情况下,我认为校长在PHP中有一个查询来更新他的表Students现在,我想,他可能有一个类似的查询:

INSERT INTO Students (studentname) VALUE ('".$_POST['student_name']."');

现在,在$_POST['student_name']字段中,如果有人输入了Robert'); DROP TABLE Students;,那么整个表格就会被删除/删除/丢失

enter image description here

要阻止您的网站进行SQL注入,请从此处了解PDO:

http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers

修改

如果您现在需要快速帮助,请执行以下操作来清理您的输入:

$password = strip_tags(mysql_real_escape_string("**********"));
$usertable = strip_tags(mysql_real_escape_string("posts"));
$yourfield1 = strip_tags(mysql_real_escape_string("time"));
$yourfield2= strip_tags(mysql_real_escape_string("post"));
相关问题
最新问题