Blog porzeraczamuzguw

Sposób na sql injection

Kiedyś robiłem trochę w PHP. Wszystko było fajnie i w ogóle, do momentu, gdy usłyszałem o sql injection. Padł blady strach, przetestowałem jedną z moich witryn i okazało się, że jest na to podatna. Zacząłem szukać jakiegoś rozwiązania ale prawdę mówiąć kiepsko mi szło… w końcu skleciłem funkcję która, jak mi się wydawało, dawała pełne bezpieczeństwo. Okazuje się jednak, że to zabezpieczenie można było łatwo obejść… na szczęście w owych czasach chyba nikt na to jeszcze nie wpadł. Anyway, jeśli chcecie się dobrze zabezpieczyć to znalazłem takie coś:

// Przyjmujemy, dla przykładu:
$_POST['uid'] = 1;
$_POST['name'] = 'Łukasz "anAKiN" Lach';
$_POST['username'] = 'anakin';
$_POST['password'] = 'an4kin';
$_POST['newsletter'] = 1;

$sql = SQL('INSERT INTO users (id, uid, name, username, password, newsletter) '.
'VALUES (NULL, %d, %s, %s, %s, %b)', $_POST['uid'], $_POST['name'],
$_POST['username'], md5($_POST['password']), $_POST['newsletter']);

Wynikowa wartość (zapytanie wynikowe):
INSERT INTO users (id, uid, name, username, password, newsletter)
VALUES (NULL, 1, "Łukasz \"anAKiN\" Lach", "anakin",
"97296eca657a093aa379778c237e292d", 1)

Autor: Łukasz Lach.
To co mi się podoba w tym rozwiązaniu to bardzo ładna konstrukcja funkcji, emulująca znaną programistom składnię i ograniczająca kłopotliwość definiowania typu przekazywanych do bazy danych do minimum. Jednocześnie, jako że wszystko dzieje się tuż przed wysłaniem do bazy łatwo sobie przyswoić nawyk stosowania tej funkcji zamiast „gołego” zapytania SQL.

108 komentarzy

  1. goyard bag powiedział:

    I really wanted to make a simple remark to be able to appreciate you for some of the magnificent strategies you are giving at this site. My extensive internet investigation has now been compensated with reputable tips to talk about with my visitors. I ‚d believe that many of us readers are undeniably blessed to live in a really good place with very many awesome professionals with useful points. I feel somewhat lucky to have come across the site and look forward to plenty of more enjoyable moments reading here. Thank you once more for all the details.

  2. yeezy boost 350 v2 powiedział:

    I precisely desired to say thanks yet again. I’m not certain what I would’ve created in the absence of the actual recommendations shown by you regarding my problem. It absolutely was a real terrifying dilemma for me personally, but being able to view the very skilled tactic you managed that took me to jump over happiness. I will be happier for your guidance as well as trust you really know what a great job you were undertaking instructing some other people through a web site. Probably you haven’t encountered any of us.

  3. nike max powiedział:

    Thanks a lot for providing individuals with an extraordinarily marvellous opportunity to read in detail from this web site. It is usually so enjoyable and packed with a lot of fun for me personally and my office co-workers to search the blog particularly three times per week to study the new items you have got. And indeed, I am actually motivated with all the superb knowledge you give. Selected 1 facts on this page are in fact the most impressive we have had.

  4. yeezy boost 350 v2 powiedział:

    I truly wanted to send a word in order to say thanks to you for the stunning secrets you are posting on this site. My time-consuming internet investigation has finally been rewarded with useful suggestions to share with my contacts. I would point out that many of us readers are truly fortunate to live in a magnificent website with very many special people with useful ideas. I feel truly fortunate to have seen your website and look forward to so many more amazing moments reading here. Thank you once more for everything.

  5. adidas superstar powiedział:

    Thank you for all of your hard work on this blog. My mum takes pleasure in managing research and it’s obvious why. Most people notice all concerning the lively tactic you render informative tips and hints by means of your web blog and strongly encourage participation from other individuals about this theme plus our daughter is always discovering so much. Take pleasure in the rest of the year. Your doing a useful job.

  6. nike roshe powiedział:

    Needed to draft you this little remark to say thank you the moment again for your personal great principles you have featured above. This is certainly pretty generous with people like you to present publicly all that a number of people might have sold as an ebook to help make some money for themselves, most importantly seeing that you could possibly have done it in case you decided. Those principles also served to become a fantastic way to comprehend other individuals have the identical dream the same as my own to understand much more with reference to this issue. I am sure there are many more fun situations in the future for individuals that check out your site.

  7. Sammyneoft powiedział:

    Read our in-depth iPhone XS Max review
    Read our hands-on iPhone XR review
    Read our hands-on Apple Watch 4 review
    iPhone XS price and release date
    iPhone XS

  8. kd 10 powiedział:

    I am writing to make you be aware of what a remarkable discovery our princess encountered browsing your site. She realized so many things, including what it is like to possess a very effective helping spirit to make folks without hassle know specific specialized matters. You undoubtedly surpassed people’s expectations. Thank you for distributing those interesting, safe, edifying and in addition unique tips on this topic to Ethel.

Dodaj komentarz

Proszę zauważ: Moderacja komentarzy jest włączona i może opóźnieć pojawienie się twojego komentarza na stronie. Nie ma potrzeby wysyłania twojego komentarza ponownie.