php - mysql_real_escape_string 不够好？

Question

因此，即使使用 mysql_real_escape_string 清理数据，您也可以使用 %27 进行 SQL 注入(inject)

%27) SQL INJECTION HERE %2F*

怎么办？

用例子编辑:

$sql = sprintf("SELECT *, MATCH(post) AGAINST ('%s*' IN BOOLEAN MODE) AS score FROM Posts WHERE MATCH(post) AGAINST('%s*' IN BOOLEAN MODE)",
                mysql_real_escape_string($_GET['searchterm']),
                mysql_real_escape_string($_GET['searchterm']));

$results = $db->queryAsArray($sql);

如果您将 %27) SQL INJECTION HERE %2F* 传递给 searchterm 查询字符串，我会在页面上输出:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'BOOLEAN MODE)' at line 1

感谢大家在 db 类中发现问题..

Answer 1

从方法名queryAsArray推理，好像你用的是this DbBase class from the comments of the MySQL functions manual page .如果是这样，它是从转义引号中删除转义字符的 query 方法:

function query($sql, &$records = null){
    $sql = str_replace(array('\\"', "\\'"), array('"', "'"), $sql);
    // …
}

那么你的例子能运行就不是奇迹了(我简化了它):

$input = "', BAD SQL INJECTION --";

$sql = "SELECT '".mysql_real_escape_string($input)."'";
var_dump($sql);  // string(33) "SELECT '\', BAD SQL INJECTION --'"
//                      everything’s OK ↑

$sql = str_replace(array('\\"', "\\'"), array('"', "'"), $sql);
var_dump($sql);  // string(32) "SELECT '', BAD SQL INJECTION --'"
//                                Oops! ↑