SQL Injection Basics

SQL Injection Basics

社内勉強会用資料です。

23f4d5d797a91b6d17d627b90b5a42d9?s=128

Kentaro Kuribayashi

October 02, 2012
Tweet

Transcript

  1. 5.

    $sql = "SELECT * FROM user WHERE uid = "

    . $uid . " AND provider = '" . $provider . "'"; ΠϯδΣΫγϣϯͷྫ SELECT * FROM user WHERE uid = 9999 AND provider = ''; DELETE FROM user; -- ΋͠$provider͕͜͏ͩͬͨΒ '; DELETE FROM user; -- ʘ ?P? ʗ
  2. 17.

    mysql_queryؔ਺ ‣ඇਪ঑Ͱ͢ ‣࢖Θͳ͍Α͏ʹ $sql = vsprintf( "SELECT * FROM user

    WHERE uid = %d AND provider = '%s'", array_map('mysql_real_escape_string', array($uid, $provider)) ); $result = mysql_query($sql);
  3. 18.

    1&"3%# $result = $db->query( "SELECT * FROM user WHERE uid

    = ? AND provider = ?", array($uid, $provider) ); ‣։ൃఀࢭ͍ͯ͠·͢ ‣࢖Θͳ͍Α͏ʹ
  4. 19.

    1%0 ‣ʮ1%0ʹ͓͚ΔҰԠͷ҆શએݴͱ࢒Δ໰୊ ఺ʯIUUQCMPHUPLVNBSVPSH QEPIUNMΑΓվมͷ্ܝࡌ $dbh = new PDO('mysql:host=hostname;dbname=dbname;charset=utf8', “user”, “pass”);

    // ੩తϓϨʔεϗϧμΛࢦఆ $dbh->setAttribute(PDO::ATTR_EMULATE_PREPARES, false); $sth = $dbh->prepare("SELECT * FROM user WHERE uid =? AND provider = ?"); $sth->setFetchMode(PDO::FETCH_NUM); $sth->bindParam(1, $uid, PDO::PARAM_INT); $sth->bindParam(2, $provider, PDO::PARAM_STR); $sth->execute();
  5. 20.

    1&"3.%# ‣ʰಙؙຊʱQΑΓɺվมͷ্ܝࡌ header('Content-Type: text/html; charset=UTF-8'); $mdb2 = MDB2::connect('mysql://user:pass@hostname/dbname? charset=utf8'); $sql

    = "SELECT * FROM user WHERE id = ? AND provider = ?"; $stmt = $mdb2->prepare($sql, array($uid, $provider)); $rs = $stmt->execute(array($author));