這篇文章是介紹SQL INJECTION攻擊方式。並以PHP開發網站時,要如何預防的文章。我將它翻成中文,若翻的不好請見諒囉。

PHP Programs to Prevent MySQL Injection or HTML Form Abuse

It has been known for a while that if a form is unsecured, malicious code in the form of a MySQL injection will be initiated to attack the site. HTML forms such as drop down menus, search boxes and check boxes are all susceptible entry points for this type of abuse. This article will explain what happens in this kind of attack, and how to prevent it.

大部份的人都知道網頁表單是不安全的,MySQL Injection這種惡意的程式常常被使用在這方面進行攻擊網站。例如像下拉式選單、搜索方塊、確認方塊都是易被當做攻擊的目標。這文章將討論這種攻擊類型是如何發生,且如何去防範它。

Known Security Issues and Background
The intent of MySQL injection is to take over the website database and administration to steal information. A common open source database like MySQL has been used by many website developers to store important information such as passwords, credit cards, usernames, personal information and administrative information.

MySQL Injection 這種攻擊的目的是為了奪取網站資料庫和管理者的權限及偷取資料。像MySQL這類型的開放資料庫系統常被使用在網站開發當做儲存重要資訊的工具,例如,密碼、身份証字號、姓名、個人資料和行政資料

This is a serious form of hacking that affects a lot of websites nowadays. You can easily spot it in Google search results with a warning sign: “This site may harm your computer” or when you are visiting the site “Malware detected” in browsers such as Google Chrome or Mozilla Firefox.

在現今,很多網站被利用表單攻擊方式遭駭入侵,你可以很輕易的在Google搜索結果頁看到上面被註記” This site may harm your computer”,或當你瀏覽這網站時,你的瀏覽器例如像Google ChromeMozilla Firefox碰到間碟攻擊。

MySQL is popular because it is used in conjunction with PHP , the most popular server side scripting language. We also know that PHP is the primary language of Linux-Apache based servers that dominate the Internet. So this means that PHP can be easily exploited by hackers just as spyware is in Windows.


The hacking starts with inputting malicious code into an unsecured website form (via drop menu forms, search boxes, contact forms, inquiry forms and check boxes). Other advanced forms can be injected via session–related URLs, but this topic is beyond the scope of this article. (For details of this process, please refer to the flowchart on the next page).

駭客利用在不安全的網站表單中輸入惡意的程式碼(經由下拉式選單,搜索方塊、聯絡表單、問題提問表單、確認方塊)。其他較進階的表單可以經由session–related URLs進行攻擊,但這個議題已經超出本文章的範圍(不做討論,請尋找下一篇)

The malicious code will then be transported to the MySQL database and hence “injected.” To see how this works, first consider the following basic and normal MySQL SELECT statement query:

從此處開始攻擊。看下面的例子,首先想想這基本且正規的MySQL SELECT程序語言:

SELECT * FROM xmen WHERE username = 'wolverine'

This query will ask the database with the "xmen" table to return a certain piece of data in the MySQL for the username "wolverine."


In the web forms, a user will enter wolverine  , and then this data will be passed to the MySQL query, resulting in the above statement.



If the input is not validated, a hacker can craft the input in such a way as to gain control of the database, for example setting the username to:


' OR ''=''
You may think having the normal PHP and MySQL syntax to process inputs is safe because every time they may enter malicious codes they will get an “Invalid query” message, but it is not.

也許你會想說有正規PHPMySQL語法可以處理確保輸入值是安全的,因為當他們可能輸入惡意的程式時,系統會給他們一個” Invalid query”訊息,但是,事實並不如此..

In reality there are a lot of smart hackers, and they can easily work on this. Once there is a security breach, correcting this will become difficult. It involves cleaning the database and revamping the administrative access.


PHP Programs to Prevent MySQL Injection or HTML Form Abuse - The Flow of User Input (Without Validation)

If you are a beginner in MySQL and PHP, it would be useful to illustrate the flow of user information. Please check the screen shot of what will happen if the user input is not validated:


You can observe that even after the database or malware clean up, as long as the website form input is not validated, we will see re-infection of the website. Two common misconceptions of MySQL injection attacks are as follows:

你可以觀察到只要網站表單是不正當的,在這個事件產生清除資料庫或惡意程式後,我們將發現網站一直會被侵略。以下例出兩個MySQL injection 攻擊常常被誤導的關念:

The webmaster thinks that malware injection can be cleaned up using anti-virus or anti-spyware software. It cannot be cleaned up in this way because this type of infection exploits the weaknesses of MySQL databases. It cannot simply be removed by any spyware or anti-virus program.


MySQL injection is a virus infection as a result of having copied infected files from another server or outside sources. It is not. This type of infection is a result of having someone type malicious codes into any unprotected forms in the website, and then gaining access to the database. Virus infection as a result of a MySQL injection can be cleaned by removing the malicious scripts and not by using anti-virus programs.

由於能夠從其他的伺服器或外部程式造成攻擊危害,所以MySQL injection算是一種病毒攻擊。可是這關念是錯的。這種攻擊類型是由於使用者輸入惡意程式進入未保護的網站,且進一步獲取讀取資料庫的存取權限。MySQL injection攻擊是可以以移除惡意的程式清除,可是不是用病毒程式進行處理。

Flow of User Input (With Validation)

It is highly important to back up a clean database and put it outside the server. It is very easy to export a set of MySQL tables and save it to your desktop, for example. Double check to make sure the database contains the exact and clean entries that you expect.


Then go to your server and temporarily shut the forms input first. This means the form cannot accept data to be processed; this will also mean that your website will be shut down, too.


Then start the clean up process. First, on your server, clean up any mess left by the MySQL injection. Change all database, FTP and website passwords.

然後開始清理檢查相關處理程序。首先在你的伺服器上,清理掉所有被MySQL injection所造成的攻擊傷害。改變所有資料庫、ftp、網站的密碼。

In t


天秤女~佳佳 發表在 痞客邦 PIXNET 留言(0) 人氣()