Sql防注入

来自技术开发小组内部wiki
跳转至: 导航搜索 
目前针对fmb.dianping代码库增加了sql防注入的检查机制,核心代码参考了discuz的对应代码,加以封转到了自己的代码库中
加入该代码机制后,对应的部分sql语句书写方式需要有对应的改变,否则可能会导致程序报错,
后续功能开发需要严格遵守此规则进行对应的sql语句编写,但是后端执行的脚本不参与sql防注入检查

通用规则

针对接受的外部变量进行严格的变量类型转换,类似intval函数等,千里之堤溃于蚁穴!

代码文件

fmb.dianping\application\libraries\SqlSafeCheck.php

整合修改

fmb.dianping\system\database\drivers\mysql\mysql_driver.php
<source lang="php">

function _execute($sql) { $sql = $this->_prep_query($sql); //这个地方需要进行sql注入检查 //实例化CI $ci=& get_instance(); $ci->load->library('SqlSafeCheck',"","sqlSafeCheck"); $ci->sqlSafeCheck->checkquery($sql); //检查结束 return @mysql_query($sql, $this->conn_id); } 

</source>

具体规则

fmb.dianping\application\config\safe.php
<source lang="php">

$config['security']['querysafe']['status'] = 1; // 是否开启SQL安全检测,可自动预防SQL注入攻击 $config['security']['querysafe']['dfunction'] = array('load_file','hex','substring','if','ord','char');//不允许的函数 $config['security']['querysafe']['daction'] = array('@','intooutfile','intodumpfile','unionselect','(select', 'unionall', 'uniondistinct');//不允许的动作 $config['security']['querysafe']['dnote'] = array('/*','*/','#','--',/*'"'*/);//不允许的注释 $config['security']['querysafe']['dlikehex'] = 1; $config['security']['querysafe']['afullnote'] = 0;//是否允许" /**/ "存在 

</source>

特殊情况

针对既有的代码如果有违反上述安全规则,比如(select或if(的情况,可以通过如下的方式来进行对应的规避:

<source lang="php">
       $this->load->library('SqlSafeCheck',"","sqlSafeCheck");
       //排除掉sql语句中包含的if(
       $this->sqlSafeCheck->addExclude("if(");
       if ($_GET['status'] == 3) {
           $sql = 'select sell_num,aid,title,banner,start_time,end_time,recommend,area_id,business_id,category_id from '.DB_TABLE_NEW_ACTIVITY;
           $sql .= ' where '.$this->_condition.' order by '.$this->_list_orderby.' limit '.(($page-1)*$page_size).','.$page_size;
           $list_tmp = $this->db_slave->query($sql)->result_array();
       } else {
           $list_tmp = $this->activity->get(array(
               'select' => 'sell_num,aid,title,banner,start_time,end_time,recommend,area_id,business_id,category_id',
               'condition' => $this->_condition,
               'page' => $page,
               'page_size' => $page_size,
               'orderby' => $this->_list_orderby,
           ));
       }
       //执行完之后清理规则
       $this->sqlSafeCheck->clearExclude();
</source>
取自“http://wiki.fumubang.net/index.php?title=Sql防注入&oldid=655