您还能使用PDO :: quote()遭到黑客入侵吗?

时间:2018-09-09 04:19:52

标签: php mysql security pdo

检查我的日志时,我发现使用PDO :: quote()读取的错误是我料想不到的,该错误可以防止sql注入。

error_log的简短摘录:



    [09-Sep-2018 Europe/Paris] PHP Fatal error:  Uncaught exception 'PDOException' with message 'SQLSTATE[HY000]: General error: 1267 Illegal mix of collations (latin1_swedish_ci,IMPLICIT) and (utf8_general_ci,COERCIBLE) for operation '='' in XXXXXXXXXXXXXXX.php:29
    Stack trace:
    #0 XXXXXXXXXXXXXXX.php(29): PDO->query('SELECT id_clien...')
    #1 {main}
      thrown in XXXXXXXXXXXXXXX.php on line 29
    [09-Sep-2018 Europe/Paris] PHP Warning:  PDO::quote() expects parameter 1 to be string, array given in XXXXXXXXXXXXXXX.php on line 29
    [09-Sep-2018 Europe/Paris] PHP Fatal error:  Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'AND origine > 3 ORDER BY id_client DESC LIMIT 1' at line 1' in XXXXXXXXXXXXXXX.php:29
    Stack trace:
    #0 XXXXXXXXXXXXXXX.php(29): PDO->query('SELECT id_clien...')
    #1 {main}
      thrown in XXXXXXXXXXXXXXX.php on line 29
    [09-Sep-2018 Europe/Paris] PHP Warning:  PDO::quote() expects parameter 1 to be string, array given in XXXXXXXXXXXXXXX.php on line 35
    [09-Sep-2018 Europe/Paris] PHP Fatal error:  Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'LIMIT 1' at line 1' in XXXXXXXXXXXXXXX.php:38
    Stack trace:
    #0 XXXXXXXXXXXXXXX.php(38): PDO->query('SELECT id_clien...')
    #1 {main}
      thrown in XXXXXXXXXXXXXXX.php on line 38
    [09-Sep-2018 Europe/Paris] PHP Fatal error:  Uncaught exception 'PDOException' with message 'SQLSTATE[HY000]: General error: 1267 Illegal mix of collations (latin1_swedish_ci,IMPLICIT) and (utf8_general_ci,COERCIBLE) for operation '='' in XXXXXXXXXXXXXXX.php:29
    Stack trace:
    #0 XXXXXXXXXXXXXXX.php(29): PDO->query('SELECT id_clien...')
    #1 {main}
      thrown in XXXXXXXXXXXXXXX.php on line 29
    [09-Sep-2018 Europe/Paris] PHP Fatal error:  Uncaught exception 'PDOException' with message 'SQLSTATE[HY000]: General error: 1267 Illegal mix of collations (latin1_swedish_ci,IMPLICIT) and (utf8_general_ci,COERCIBLE) for operation '='' in XXXXXXXXXXXXXXX.php:29
    Stack trace:
    #0 XXXXXXXXXXXXXXX.php(29): PDO->query('SELECT id_clien...')
    #1 {main}
      thrown in XXXXXXXXXXXXXXX.php on line 29
    [09-Sep-2018 Europe/Paris] PHP Warning:  PDO::quote() expects parameter 1 to be string, array given in XXXXXXXXXXXXXXX.php on line 29
    [09-Sep-2018 Europe/Paris] PHP Fatal error:  Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'AND origine > 3 ORDER BY id_client DESC LIMIT 1' at line 1' in XXXXXXXXXXXXXXX.php:29
    Stack trace:
    #0 XXXXXXXXXXXXXXX.php(29): PDO->query('SELECT id_clien...')
    #1 {main}
      thrown in XXXXXXXXXXXXXXX.php on line 29
    [09-Sep-2018 Europe/Paris] PHP Warning:  PDO::quote() expects parameter 1 to be string, array given in XXXXXXXXXXXXXXX.php on line 35
    [09-Sep-2018 Europe/Paris] PHP Fatal error:  Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'LIMIT 1' at line 1' in XXXXXXXXXXXXXXX.php:38
    Stack trace:
    #0 XXXXXXXXXXXXXXX.php(38): PDO->query('SELECT id_clien...')
    #1 {main}
      thrown in XXXXXXXXXXXXXXX.php on line 38
    [09-Sep-2018 Europe/Paris] PHP Fatal error:  Uncaught exception 'PDOException' with message 'SQLSTATE[HY000]: General error: 1267 Illegal mix of collations (latin1_swedish_ci,IMPLICIT) and (utf8_general_ci,COERCIBLE) for operation '='' in XXXXXXXXXXXXXXX.php:29
    Stack trace:
    #0 XXXXXXXXXXXXXXX.php(29): PDO->query('SELECT id_clien...')
    #1 {main}
      thrown in XXXXXXXXXXXXXXX.php on line 29

似乎带有不安全变量或意外数据的sql注入。抛出错误的PHP / SQL代码段是:

$email = $_REQUEST['email'];
$dataClients = $pdo->query('SELECT id_client, origine FROM clients WHERE email='.$pdo->quote($email).' ORDER BY id_client DESC LIMIT 1')->fetch();

攻击者是否在这里绕过$ pdo-> quote()的安全使用?使用$ pdo-> quote()这种错误不是不可能吗?

1 个答案:

答案 0 :(得分:1)

如果您阅读this,将会发现很多鼓励使用预备语句而不是PDO :: quote的方法。如果正确使用PDO :: quote可以帮助您构造安全的sql语句,但不能防止出现问题-任何时候在不绑定所有输入的情况下构造SQL语句时,您都有忽略攻击可能性的风险。 “你们将战胜你们!”没有看到您的输入,很难真正剖析出什么是错误的。它们似乎是编程错误,而不是黑客。例如,看起来您的某些$ _REQUEST值是数组,而有些不在默认字符集中-两者都会给您带来麻烦。

也许首先将您的一些输入扔到错误日志中,以便您了解为什么它们会爆炸。像这样:

try {
    $email = $_REQUEST['email'];
    $dataClients = $pdo->query('SELECT id_client, origine FROM clients WHERE email='.$pdo->quote($email).' ORDER BY id_client DESC LIMIT 1')->fetch();
} catch (Exception $e) {
    error_log("email requests are: " . var_export($email, true));
    error_log($e->getmessage());
    exit(); // or recover, if you like
}

这仍然不是正确的解决方案,但是无论如何您都会更好地处理输入。

相关问题
最新问题