普通的列表模糊查詢,可能會被sql注入利用,造成數據泄漏,嚴重的甚至導致刪表刪庫!
程序中sql語句拼裝:
$sql = 'student_name like '"%'.$name.'%"';
貌似正常的sql語句
SELECT * FROM tblStudent WHERE unit_name like "%aaa%" order by create_time desc limit 0, 30 ;
倘若想要借此進行sql注入,input輸入框中輸入 aaa %" or "1%" = "1 ,則sql語句被拼接為
SELECT * FROM tblStudent WHERE unit_name like "%aaa %" or "1%" = "1%" order by create_time desc limit 0, 30 顯示所有的列.
這似乎無關痛癢
倘若input輸入框換成
sql語句成為 aaa%";drop table tbl_test;#
SELECT * FROM tblStudent WHERE unit_name like "%aaa%";drop table tbl_test;#%" order by create_time desc limit 0, 30;
#表示注釋
那么獨立出sql語句
drop table tbl_test;
造成刪表
解決方法很簡單:
$binName = bin2hex("%$name%");
$arrConds[] = " course_name like unhex('$binName')";
sql:
SELECT * FROM tblStudent WHERE unit_name like hex('2520636f7572736525223b64726f70207461626c652074626c5f746573743b2325') order by create_time desc limit 0, 30;