Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
SQL Injection Basics
Search
Sponsored
·
Your Podcast. Everywhere. Effortlessly.
Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
→
Kentaro Kuribayashi
October 02, 2012
Technology
17k
8
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
SQL Injection Basics
社内勉強会用資料です。
Kentaro Kuribayashi
October 02, 2012
More Decks by Kentaro Kuribayashi
See All by Kentaro Kuribayashi
あとはAIに任せて人間は自由に生きる
kentaro
5
2.2k
社会人力と研究力ー博士号をキャリアの武器にするー
kentaro
3
320
IoTシステム開発の複雑さを低減するための統合的アーキテクチャ
kentaro
2
2.5k
Bidirectional Quadratic Voting Leveraging Issue-Based Matching
kentaro
2
780
大高生へのメッセージ(令和6年度「大高未来塾」) / Messages to Current Students
kentaro
0
350
「始め方」の始め方 / How to Start Starting Things
kentaro
5
1k
Dynamic IoT Applications and Isomorphic IoT Systems Using WebAssembly
kentaro
1
1.7k
わたしがこのところハマっている「ライセンスフリー無線」のご紹介 / An Invitation to License-Free Radio
kentaro
1
770
先行きの見えなさを楽しさに変える ーVUCA時代のキャリア論と絶対他力主義ー / How to develop your career in the VUCA era
kentaro
8
6.9k
Other Decks in Technology
See All in Technology
20260702_生成AIはどこまで成長するのか_チャットだけじゃない世界
doradora09
PRO
0
110
なぜ私たちのSREプラクティスはなかなか機能しないのか 〜システムより先に組織を見る〜 / Why our SRE practices aren't really working
vtryo
3
2.9k
AI駆動開発におけるQAエンジニアの役割事例 〜AI駆動開発の現場から〜
kobayashiyorimitsu
0
410
アカウントが増えてからでは遅い? ~ マルチアカウント統制の勘所 ~
kenichinakamura
0
200
“全部コピーしない”ファイルデータの活用 : — FSx for ONTAP × S3 Tables × Icebergで作るメタデータカタログ
yoshiki0705
0
580
AWS Blocks を触ってみた/first-tach-aws-blocks
fossamagna
2
150
はじめてのWDM
miyukichi_ospf
1
130
Control Planeで育てるBtoB SaaSの認証基盤 - SRE NEXT 2026
pokohide
1
1.8k
Why is RC4 still being used?
tamaiyutaro
0
310
ZOZOTOWNの進化と信頼性を両立する負荷試験
zozotech
PRO
0
140
完全自律ロボットを作りたくて、先に開発を自律させた話(ROS Japan UG #63 LT)
rryz09
0
430
勉強会企画をアプリで構造化してみた 〜そこで見えた、AIとの付き合い方〜 / I've structured a study group plan using an app.
pauli
0
330
Featured
See All Featured
ラッコキーワード サービス紹介資料
rakko
1
3.9M
The Invisible Side of Design
smashingmag
301
52k
Bash Introduction
62gerente
615
220k
Paper Plane (Part 1)
katiecoart
PRO
0
9.5k
AI: The stuff that nobody shows you
jnunemaker
PRO
8
770
SEO Brein meetup: CTRL+C is not how to scale international SEO
lindahogenes
1
2.8k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
508
140k
コードの90%をAIが書く世界で何が待っているのか / What awaits us in a world where 90% of the code is written by AI
rkaga
62
44k
StorybookのUI Testing Handbookを読んだ
zakiyama
31
6.8k
Highjacked: Video Game Concept Design
rkendrick25
PRO
1
400
Leadership Guide Workshop - DevTernity 2021
reverentgeek
1
320
The Curse of the Amulet
leimatthew05
2
13k
Transcript
42-ΠϯδΣΫγϣϯͷ ݪཧɾݪଇ @kentaro ܀ྛ݈ଠ paperboy&co. http://www.flickr.com/photos/vissago/3270115155/
@kentaro ΤϯδχΞ 1FSMFS ϧϏʔετ ʮͪʯʮͪ ͺʔʯ࢝ऀ /FX ܀ྛ݈ଠ paperboy&co.
‣42-ΠϯδΣΫγϣϯࣗମͷৄࡉ ޙड़ͷࢀߟจݙΛࢀরͷ͜ͱ ‣͜͜Ͱ42-ΠϯδΣΫγϣϯΛ ࢝Ίͱ͢Δɺ͘8FCηΩϡϦςΟ ʹؔ͢Δݪཧɾݪଇʹ͍ͭͯड़·͢ લఏ
42-ΠϯδΣΫγϣϯɺ42-ͷݺͼग़͠ํʹෆඋ͕͋Δ߹ʹൃੜ͢Δ੬ ऑੑͰ͢ɻΞϓϦέʔγϣϯʹ42-ΠϯδΣΫγϣϯ੬ऑੑ͕͋Δ߹ɺҎԼ ͷΑ͏ͳӨڹΛड͚ΔՄೳੑ͕͋Γ·͢ɻͯ͢ɺ߈ܸऀ͕ೳಈతʹ ར༻ऀͷ ؔ༩ͳ͠Ͱ αʔόʔΛ߈ܸͰ͖·͢ɻ ‣σʔλϕʔεͷͯ͢ͷใ͕֎෦͔Β౪·ΕΔ ‣σʔλϕʔεͷ༰͕ॻ͖͑ΒΕΔ ‣ೝূΛճආ͞ΕΔ *%ͱύεϫʔυΛ༻͍ͣʹϩάΠϯ͞ΕΔ
‣ͦͷଞɺσʔλϕʔεαʔόʔ্ͷϑΝΠϧͷಡΈग़͠ɺॻ͖ࠐΈɺϓϩά ϥϜͷ࣮ߦͳͲΛߦΘΕΔ 42-ΠϯδΣΫγϣϯ ʰମܥతʹֶͿ҆શͳ8FCΞϓϦέʔγϣϯͷ࡞ΓํʱQ ҎԼʰಙؙຊʱ
$sql = "SELECT * FROM user WHERE uid = "
. $uid . " AND provider = '" . $provider . "'"; ΠϯδΣΫγϣϯͷྫ SELECT * FROM user WHERE uid = 9999 AND provider = ''; DELETE FROM user; -- ͠$provider͕͜͏ͩͬͨΒ '; DELETE FROM user; -- ʘ ?P? ʗ
͠੬ऑੑ͕͋ͬͨΒ ใ͕ྲྀग़ͨ͠߹ʹاۀଘଓͷةػʹͭͳ͕Γ͔Ͷͳ͍ɻ ใॲཧਪਐػߏʢ*1"ʣ42-ΠϯδΣΫγϣϯʹΑΔඃ͔Β ͷ෮چίετԯԁΛ͑͏Δͱ͓ͯ͠Γɺ࣮ࡍʹαϯυϋ εͷࣄྫͰิঈͷΈͰ໊ʹԁ૬ͷظݶ ͖ΫϨδοτΛෛ୲͍ͯ͠Δɻิঈͷ΄͔ʹઐՈʹΑΔௐ ࠪɺγεςϜͷೖΕସ͑ɺސ٬ରԠɺҰ࣌ดʹΑΔӦۀػձͷ ҳࣦɺ෩ධඃͱ͍ͬͨෛ୲͕͋Γɺ42-ΠϯδΣΫγϣϯؚ ΊηΩϡϦςΟରࡦݫີʹߦ͏͖Ͱ͋Δɻ IUUQKBXJLJQFEJBPSHXJLJ42-ΠϯδΣΫγϣϯ
੬ऑੑͷछྨ ʰಙؙຊʱQ
ΠϯδΣΫγϣϯܥ ʰಙؙຊʱQ 42-ΠϯδΣΫγϣϯ੬ऑੑ͕ൃੜ͢ΔݪҼɺͱͱʮσʔλʯΛఆ͠ ͍ͯΔͱ͜ΖʹγϯάϧΫΥʔτʮʯΛͬͯσʔλ෦ΛऴΘΒͤɺ42- จͷߏΛมԽͤͨ͞ͱ͜Ζʹ͋Γ·͢ɻ͜ͷݪཧଞͷΠϯδΣΫγϣϯܥ ੬ऑੑͰಉ͡Ͱ͢ɻσʔλͷதʹҾ༻ූσϦϛλͳͲʮσʔλͷऴʯΛ ࣔ͢ϚʔΫΛࠞೖͤͯ͞ɺͦͷޙͷจࣈྻͷߏΛมԽͤ͞ΔͷͰ͢ɻ
ݪཧ ‣94442-ΠϯδΣΫγϣϯɺ ى͜Δݪཧಉ͡ ‣)5.-ʹͤΑ42-ʹͤΑɺ8FCΞ ϓϦͷมͱ·ͬͨ͘ผͷϧʔϧ ʹΑͬͯߏங͞ΕΔจࣈྻ ‣ͦΕΒͷੈքͷϧʔϧΛཚ͞ͳ͍Α ͏ʹҙ͢Δඞཁ͕͋Δͱ͍͏Ͱಉ ͡
ݩʑɺ)5.-Λग़ྗ͢Δͱ͖ɺͦͷग़ྗશମʹରͯ͠ʮʯʮʯʮʯͷ Τεέʔϓॲཧͷݕ౼͕ཁٻ͞Ε͍ͯΔͷͰ͋ͬͯɺ$(*ೖྗʹґଘ͍ͯ͠Δ ͔Ͳ͏͔ແؔͰ͋Δɻͦ͜ͷߟ͑ํʹʮແಟԽʯͩͷʮແԽʯͩͷʮফ ಟʯͩͷʮαχλΠζʯͩͷʮαχλΠδϯάʯͩͷͱ͍͏ʢ࠷ۙྲྀߦͷʣൃ ग़ͯ͜ͳ͍ɻ ʮαχλΠζݴ͏ͳΩϟϯϖʔϯʯͱԿ͔ http://takagi-hiromitsu.jp/diary/20051227.html#p02 ݪཧ
ೖྗͷݕূʁ ‣όϦσʔγϣϯΞϓϦతʹॏཁ ‣ͨͩ͠ɺͦΕΞϓϦͷ༷ͷ Ͱ͋ͬͯɺ42-ΠϯδΣΫγϣϯͱ ؔͳ͍ ‣݁Ռతʹཱͭ͜ͱ͋Δ͚ͩ
αχλΠζʁ ‣͍͏ͳ CZͻΖΈͪΎઌੜ ‣Ͳ͏ͤ࿙ΕΔ ‣લड़ͷ௨Γɺҧ͏ϧʔϧͷจࣈྻΛ ࡞͠Α͏ͱ͍ͯ͠Δͷ͔ͩΒʮԚ છʯ͞ΕͯΑ͏͕ͳΜͩΖ͏͕ɺશͯ దʹॲஔ͢Δ͖
҉ͷલఏΛආ͚Δ ‣$entry->user_idʹ͔͋͠Γಘͳ͍ ͱ͍͏લఏʹཔΒͳ͍ ‣ͦΕ͕ຊʹͦ͏͔ͳΜͯΘ͔Βͳ͍͠ɺ Βͳ͍ؒʹલఏ͕มΘΔ͔͠Εͳ͍ ‣ੲ͋ͬͨmagic_quotes_gpc=onͱ͔֎ "select * from user
where user_id = " . $entry->user_id
είʔϓΛڱΊΔ ‣มͷείʔϓͰ͖Δ͚ͩڱ͍ํ͕Α͍ͱ ͍͏ϓϩάϥϛϯάͷݪଇΛద༻ ‣άϩʔόϧมΛͰ͖Δ͚ͩආ͚Δ͖Ͱ͋ Δͷͱಉ༷ ‣ۙͷίʔυͷΈͰ҆શੑΛ֬ೝͰ͖Δํ͕ Α͍ ‣ίʔυ͔Βԕ͘ΕͨॴͰอূ͞Ε͍ͯΔ ͔͠Εͳ͍ ͜ͱʹͨΑͬͯॲཧΛม͑Δ
͖Ͱͳ͍
ग़ྗͷۙͰॲஔ ‣ϓϩάϥϜͷม ϢʔβೖྗͰ%#͔Β ͖ͨͷͰͳΜͰ ͱ)5.-42-Λ݁߹ ͢Δࡍʹɺͦͷ݁߹ͷۙͰɺ)5.-42- ͷϧʔϧʹ߹ΘͤͨͳΜΒ͔ͷॲஔΛࢪ͢ ‣)5.-ͳΒhtmlspecialchars($str, ENT_QUOTES)͢Δ͠ɺ42-ͳΒϓϨʔεϗϧ μΛ͏ͳͲ
42-ΠϯδΣΫγϣϯͷࠜຊతղܾͷجຊόΠϯυػߏΛ༻͢Δ͜ͱͰ͢ ͕ɺԿΒ͔ͷཧ༝ʹΑΓόΠϯυػߏͰ࣮Ͱ͖ͳ͍߹ɺΤεέʔϓॲཧ ʹΑΔରࡦࠜຊతղܾͷҰͭʹͳΔͱ͍ͯ͠·͢ɻ͔͠͠ɺ্ͷҾ༻෦ʹ ͋ΔΑ͏ʹɺ42-ʹͱͬͯಛผͳҙຯΛ࣋ͭه߸ʢϝλจࣈʣɺσʔλϕʔ εΤϯδϯʹΑͬͯҟͳΔͷͰ͋ΓɺڥʹԠͯ͡ରࡦ͢Δඞཁ͕͋Γ· ͢ɻ ʰ҆શͳΣϒαΠτͷ࡞Γํผɿʮ҆શͳ42-ͷݺͼग़͠ํʯʱQ ݪଇ
mysql_queryؔ ‣ඇਪͰ͢ ‣Θͳ͍Α͏ʹ $sql = vsprintf( "SELECT * FROM user
WHERE uid = %d AND provider = '%s'", array_map('mysql_real_escape_string', array($uid, $provider)) ); $result = mysql_query($sql);
1&"3%# $result = $db->query( "SELECT * FROM user WHERE uid
= ? AND provider = ?", array($uid, $provider) ); ‣։ൃఀࢭ͍ͯ͠·͢ ‣Θͳ͍Α͏ʹ
1%0 ‣ʮ1%0ʹ͓͚ΔҰԠͷ҆શએݴͱΔ ʯIUUQCMPHUPLVNBSVPSH QEPIUNMΑΓվมͷ্ܝࡌ $dbh = new PDO('mysql:host=hostname;dbname=dbname;charset=utf8', “user”, “pass”);
// ੩తϓϨʔεϗϧμΛࢦఆ $dbh->setAttribute(PDO::ATTR_EMULATE_PREPARES, false); $sth = $dbh->prepare("SELECT * FROM user WHERE uid =? AND provider = ?"); $sth->setFetchMode(PDO::FETCH_NUM); $sth->bindParam(1, $uid, PDO::PARAM_INT); $sth->bindParam(2, $provider, PDO::PARAM_STR); $sth->execute();
1&"3.%# ‣ʰಙؙຊʱQΑΓɺվมͷ্ܝࡌ header('Content-Type: text/html; charset=UTF-8'); $mdb2 = MDB2::connect('mysql://user:pass@hostname/dbname? charset=utf8'); $sql
= "SELECT * FROM user WHERE id = ? AND provider = ?"; $stmt = $mdb2->prepare($sql, array($uid, $provider)); $rs = $stmt->execute(array($author));
ԿΛ͍͍͑ͷʁ ‣1)1Ҏલͷ1%0จࣈίʔυ·ΘΓ Ͱ͍Ζ͍Ζ໘ ‣1&"3.%#Λ͏ͷ͕ແͦ͏ ‣͍ͣΕʹͤΑɺͪΌΜͱจࣈίʔυΛࢦఆ͠ ·͠ΐ͏ ‣ৄ͘͠ʮ1%0ʹ͓͚ΔҰԠͷ҆શએݴͱ ΔʯIUUQCMPHUPLVNBSVPSH QEPIUNMࢀরͷ͜ͱ
·ͱΊ ‣ม͕Ͳ͏͍͏Ͱ͋Δ͔ʹؔΘΒͣɺม ͷΛؚΉ42-ΛΈཱͯΔ߹ɺඞͣϓ ϨʔεϗϧμʔΛ͏ͳΓɺΤεέʔϓ͢Δͳ Γ͢Δ લऀɺಛʹ੩తϓϨʔεϗϧμΛ͏ ‣҉ͷલఏʹͨΑΒͣɺ҆શੑΛۙͰ֬ೝ Ͱ͖ΔΑ͏ʹ͢Δ ‣42-ΠϯδΣΫγϣϯʹݶΒͣɺಉ༷ͷΠϯ δΣΫγϣϯܥ੬ऑੑ
લड़ Ͱಉ༷
੩తϓϨʔεϗϧμʹؔ͢Δิ https://twitter.com/tokuhirom/status/253499819136520193 https://twitter.com/tokuhirom/status/253501614747439104 ‣ϝϞϦΛແବʹফඅ ͢Δͱ͍͏ʁ ‣ΫϥΠΞϯτ͕ͪΌ Μͱεςʔτϝϯτϋ ϯυϥΛ։์ͯ͠Ε ͳ͍ʁ ‣IUUQCMPHFWFSRVFVFDPN
DIJCB
༨ஊ ಙؙઌੜʹ͓͖͍͖ͨͩ·ͨ͠ https://twitter.com/ockeghem/status/253128283795886080
ࢀߟจݙ ‣ʮαχλΠζݴ͏ͳΩϟϯϖʔϯʯͱԿ͔ ‣IUUQUBLBHJIJSPNJUTVKQEJBSZIUNMQ ‣ʰମܥతʹֶͿ҆શͳ8FCΞϓϦέʔγϣϯ ͷ࡞Γํʱ ಙؙߒɾஶ ‣IUUQXXXTCDSKQQSPEVDUTIUNM ‣ʰ҆શͳΣϒαΠτͷ࡞Γํผʮ҆શͳ 42-ͷݺͼग़͠ํʯʱ ‣IUUQXXXJQBHPKQTFDVSJUZWVMOEPDVNFOUT
XFCTJUF@TFDVSJUZ@TRMQEG