Shuningdek, O’zbekiston Prezidenti 7-fevral kungi farmoni bilan 2017

Download 306,49 Kb.

bet	21/24
Sana	21.06.2022
Hajmi	306,49 Kb.
	#689874

1 ... 16 17 18 19 20 21 22 23 24

Bog'liq
Защита от SQL

Test natijalari:
MySQL .

mysql> select version();
+---------------------+
| version() |
+---------------------+
| 5.0.45-community-nt |
+---------------------+
1 row in set (0.00 sec)

mysql> CREATE TABLE users (
-> username VARCHAR(32) CHARACTER SET GBK,
-> password VARCHAR(32) CHARACTER SET GBK,
-> PRIMARY KEY (username)
-> );
Query OK, 0 rows affected (0.08 sec)

mysql> insert into users SET username='ewrfg', password='wer44';
Query OK, 1 row affected (0.02 sec)

mysql> insert into users SET username='ewrfg2', password='wer443';
Query OK, 1 row affected (0.03 sec)

mysql> insert into users SET username='ewrfg4', password='wer4434';
Query OK, 1 row affected (0.00 sec)

PHP

echo "PHP version: ".PHP_VERSION."\n";

mysql_connect();
mysql_select_db("test");
mysql_query("SET NAMES GBK");

$_POST['username'] = chr(0xbf).chr(0x27).' OR username = username /*';
$_POST['password'] = 'guess';

$username = addslashes($_POST['username']);
$password = addslashes($_POST['password']);
$sql = "SELECT * FROM users WHERE username = '$username' AND password = '$password'";
$result = mysql_query($sql) or trigger_error(mysql_error().$sql);
var_dump($username);
var_dump(mysql_num_rows($result));
var_dump(mysql_client_encoding());

$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
$sql = "SELECT * FROM users WHERE username = '$username' AND password = '$password'";
$result = mysql_query($sql) or trigger_error(mysql_error().$sql);
var_dump($username);
var_dump(mysql_num_rows($result));
var_dump(mysql_client_encoding());

mysql_set_charset("GBK");
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
$sql = "SELECT * FROM users WHERE username = '$username' AND password = '$password'";
$result = mysql_query($sql) or trigger_error(mysql_error().$sql);
var_dump($username);
var_dump(mysql_num_rows($result));
var_dump(mysql_client_encoding());

Natija

PHP version: 5.3.3
string(29) "ї\' OR username = username /*"
int(3)
string(6) "latin1"
string(29) "ї\' OR username = username /*"
int(3)
string(6) "latin1"
string(30) "\ї\' OR username = username /*"
int(0)
string(3) "gbk"
Men yuqorida aytib o'tgan xarakterli tafsilot: PDO-da yaqin vaqtgacha ulanish kodlashni o'rnatish umuman imkonsiz edi. PDO'da mysql_set_charset () ga o'xshash funksiya yo'q va DSN 5.3 versiyasidan oldin faqat charset parametrining modeli mavjud edi , u xato bermadi, lekin hech qanday kodlashni ham o'rnatmadi.
PDO hamma narsadan qanday himoyalanishi haqida gapiradigan belgilarni troll qilish qobiliyatidan tashqari, hech qanday maxsus narsa yo'q .

Download 306,49 Kb.

Do'stlaringiz bilan baham:

1 ... 16 17 18 19 20 21 22 23 24