SQL class 代码被注入
SQL class code is injected
我正在做数据库class,在测试的时候,我发现代码被注入了,我在field1中添加了一个小的JS脚本,结果是这样的:
<?php
final class crud {
private $connexionName, $sql = '';
public function __construct($connexionName) {
$this->connexionName = $connexionName;
}
public final function insert($tableName, $fields=array()){
$this->tableName = $tableName;
$this->fields = $fields;
foreach ($this->fields as $vf) {
$inKeys[] = $vf;
$inKeysDotted[] = ':' . $vf;
$insImKeys = implode(', ', $inKeys);
$insImKeysDotted = implode(', ', $inKeysDotted);
$this->insImKeys = $insImKeys;
$this->insImKeysDotted = $insImKeysDotted;
}
$this->insertedKeys = $inKeys;
$this->insertedKeysDotted = $inKeysDotted;
$sql = "INSERT INTO `$this->tableName` ($this->insImKeys) VALUES ($this->insImKeysDotted);";
//echo $sql.'<br />';
$insertItems = $this->connexionName->prepare($sql);
$this->insertItems = $insertItems;
echo '<pre>';
print_r($insertItems).'<br />';
echo '</pre>';
} // end prepareStm()
public final function checkValType($valToCheck){
$this->valToCheck = $valToCheck;
// http://php.net/manual/en/function.gettype.php
$valType = gettype($this->valToCheck);
$this->valType = $valType;
switch ($this->valType) {
case 'boolean':
$PDOType = PDO::PARAM_BOOL;
break;
case 'integer':
$PDOType = PDO::PARAM_INT;
break;
case 'NULL':
$PDOType = PDO::PARAM_NULL;
break;
default: // string
$PDOType = PDO::PARAM_STR;
break;
}
//echo $PDOType.'<br />';
$this->PDOType = $PDOType;
//return $this->valType;
return $this->PDOType;
} // end checkValType()
public final function bindParams($setValues=array()){
$combine = array_combine($this->insertedKeys, $setValues);
foreach ($combine as $getKey => $getVal) {
$setType = $this->checkValType($getVal);
echo "this->insertItems->bindValue($getKey, $getVal, $setType)<br />";
$this->insertItems->bindValue($getKey, $getVal, $setType);
}
} // end bindParams()
public final function executeQuery(){
return $this->insertItems->execute();
}
}
require_once '../Included_Files/Connect.php';
$con = new crud($connexion);
echo '<br />';
$con->insert('test', array('field1', 'field2', 'field3'));
//$con->checkValType(19);
$con->bindParams(array('<script>alert(\'hello\');</script>', 'pour field2', 'pour field3'));
$con->executeQuery();
?>
如何避免此类注射?
感谢您的帮助
well, basically, I used bindParam, and while inserting, it remove the
scripts tags
你的假设是错误的。您在 HTML 中嵌入了 JavaScript,而 HTML 又嵌入了 SQL。这些语言中的每一种都有不同的转义方案,并带来不同的风险。 bindParam只处理SQL注入,即最外层。它不处理转义 HTML、删除 <script> 标签,这很好。
所以底线是:您的代码中没有 SQL 注入漏洞。您的应用程序可能会或可能不会受到 XSS 或其他漏洞的攻击,但这超出了 SQL 注入的范围。
我正在做数据库class,在测试的时候,我发现代码被注入了,我在field1中添加了一个小的JS脚本,结果是这样的:
<?php
final class crud {
private $connexionName, $sql = '';
public function __construct($connexionName) {
$this->connexionName = $connexionName;
}
public final function insert($tableName, $fields=array()){
$this->tableName = $tableName;
$this->fields = $fields;
foreach ($this->fields as $vf) {
$inKeys[] = $vf;
$inKeysDotted[] = ':' . $vf;
$insImKeys = implode(', ', $inKeys);
$insImKeysDotted = implode(', ', $inKeysDotted);
$this->insImKeys = $insImKeys;
$this->insImKeysDotted = $insImKeysDotted;
}
$this->insertedKeys = $inKeys;
$this->insertedKeysDotted = $inKeysDotted;
$sql = "INSERT INTO `$this->tableName` ($this->insImKeys) VALUES ($this->insImKeysDotted);";
//echo $sql.'<br />';
$insertItems = $this->connexionName->prepare($sql);
$this->insertItems = $insertItems;
echo '<pre>';
print_r($insertItems).'<br />';
echo '</pre>';
} // end prepareStm()
public final function checkValType($valToCheck){
$this->valToCheck = $valToCheck;
// http://php.net/manual/en/function.gettype.php
$valType = gettype($this->valToCheck);
$this->valType = $valType;
switch ($this->valType) {
case 'boolean':
$PDOType = PDO::PARAM_BOOL;
break;
case 'integer':
$PDOType = PDO::PARAM_INT;
break;
case 'NULL':
$PDOType = PDO::PARAM_NULL;
break;
default: // string
$PDOType = PDO::PARAM_STR;
break;
}
//echo $PDOType.'<br />';
$this->PDOType = $PDOType;
//return $this->valType;
return $this->PDOType;
} // end checkValType()
public final function bindParams($setValues=array()){
$combine = array_combine($this->insertedKeys, $setValues);
foreach ($combine as $getKey => $getVal) {
$setType = $this->checkValType($getVal);
echo "this->insertItems->bindValue($getKey, $getVal, $setType)<br />";
$this->insertItems->bindValue($getKey, $getVal, $setType);
}
} // end bindParams()
public final function executeQuery(){
return $this->insertItems->execute();
}
}
require_once '../Included_Files/Connect.php';
$con = new crud($connexion);
echo '<br />';
$con->insert('test', array('field1', 'field2', 'field3'));
//$con->checkValType(19);
$con->bindParams(array('<script>alert(\'hello\');</script>', 'pour field2', 'pour field3'));
$con->executeQuery();
?>
如何避免此类注射?
感谢您的帮助
well, basically, I used bindParam, and while inserting, it remove the scripts tags
你的假设是错误的。您在 HTML 中嵌入了 JavaScript,而 HTML 又嵌入了 SQL。这些语言中的每一种都有不同的转义方案,并带来不同的风险。 bindParam只处理SQL注入,即最外层。它不处理转义 HTML、删除 <script> 标签,这很好。
所以底线是:您的代码中没有 SQL 注入漏洞。您的应用程序可能会或可能不会受到 XSS 或其他漏洞的攻击,但这超出了 SQL 注入的范围。