์น ํดํน์ ๋์ํ๋ ๋ฐฉ๋ฒ
1. ๋ฌผ๋ฆฌ์ ์ธ ์ฅ๋น๋ ์ํํธ์จ์ด๋ฅผ ์ด์ฉํ ๋์๋ฐฉ๋ฒ
๋ฐฉํ๋ฒฝ // WAF(Web Application Firewall) L7 ๋ฐฉํ๋ฒฝ
IDS,IPS
2. ์ํ์ด ์ฝ๋ฉ
2-1. Prepared Statement --> SQL Injection ๊ณต๊ฒฉ์ ๋ฐฉ์ดํ๋ ๋ํ์ ์ธ ๊ธฐ๋ฒ
2-2. ์
๋ ฅ๊ฐ ๊ฒ์ฆ -->
2-3. ์
๋ ฅ ๊ธธ์ด ์ ํ --> ๊ทผ๋ณธ์ ์ธ ๋ฐฉ๋ฒ์ ์๋์ง๋ง, ๋งค์ฐ ํจ๊ณผ์ ์
์
๋ ฅ๊ฐ ๊ฒ์ฆ ๋ฐฉ๋ฒ
1. ์นํ ' -> \'
# Search Logic
$search_type = $db_conn->real_escape_string($_POST["search_type"]);
$keyword = $db_conn->real_escape_string($_POST["keyword"]);
index.php
$search_type : real_escape_string(), ์ ๊ท ํํ์ preg_match()
$keyword : real_escape_string()
$sort : ASC // DESC ์
๋ ฅ ์ ํ
$sort_column : ์ ๊ท ํํ์ preg_match()
# index.php
<?
include_once("./common.php");
$db_conn = mysql_conn();
# Search Logic
$search_type = $db_conn->real_escape_string($_POST["search_type"]);
$keyword = $db_conn->real_escape_string($_POST["keyword"]);
if(empty($search_type) && empty($keyword)) {
$query = "select * from {$tb_name}";
} else {
if($search_type == "all") {
$query = "select * from {$tb_name} where title like '%{$keyword}%' or writer like '%{$keyword}%' or content like '%{$keyword}%'";
} else {
$query = "select * from {$tb_name} where {$search_type} like '%{$keyword}%'";
}
}
# Sort Logic
$sort =strtoupper($_GET["sort"]); // ASC or DESC ๋ง ๋๋๋ก
$sort_column = $_GET["sort_column"];
//strtoupper() ๋ชจ๋ ๋๋ฌธ์๋ก ์นํ
//strtolower() ๋ชจ๋ ์๋ฌธ์๋ก ์นํ
if ($sort == "ASC"){
$sort = "ASC";
}else{
$sort = "DESC";
}
if(empty($sort_column)) {
$query .= " order by idx desc";
} else {
$query .= " order by {$sort_column} {$sort}";
}
# ์ฌ์ฉํ ๋ฌธ์์ด
if((!preg_match("/^[0-9a-zA-Z-]*$/",$search_type)&& !empty($search_type)) || ((!preg_match("/^[0-9a-zA-Z-]*$/",$sort_column)&& !empty($sort_column)))){
echo "<script>alert('์๋ชป๋ ์
๋ ฅ์
๋๋ค'); history.back(-1); </script>";
exit();
}
$result = $db_conn->query($query) or die("์๋ฌํ์ด์ง์
๋๋ค");
$num = $result->num_rows;
?>
view.php
$password : ์นํ real_escape_string()
# view.php
<?
include_once("./common.php");
$db_conn = mysql_conn();
$idx = $_REQUEST["idx"];
$password =$db_conn->real_escape_string($_POST["password"]);
# if ๋ณ์ idx๊ฐ numeric(์ซ์๊ฐ) !(์๋๋ฉด)
if(!is_numeric($idx)){
echo "<script>alert('์๋ชป๋ ์
๋ ฅ์
๋๋ค'); history.back(-1); </script>";
}
if(empty($password)) {
$query = "select * from {$tb_name} where idx={$idx} and secret='n'";
} else {
$query = "select * from {$tb_name} where idx={$idx} and password='{$password}'";
}
$result = $db_conn->query($query) or die($db_conn->error);
$num = $result->num_rows;
?>
( CASE WHEN ์กฐ๊ฑด๋ฌธ THEN ์ฐธ ELSE ๊ฑฐ์ง END )
( CASE WHEN 1=1 THEN 0x7469746c65 ELSE 0x696478 END )
(CASE WHEN (SELECT substr((SELECT database()),1,1))=0x62 THEN (SELECT 0x41 UNION SELECT 0x42) END)
(SELECT substr((SELECT database()),1,1))=0x62
> ์ฐธ์ผ ๊ฒฝ์ฐ : ์๋ฌํ์ด์ง ๋ฐ์
> ๊ฑฐ์ง์ผ ๊ฒฝ์ฐ : ์ ์ํ์ด์ง ์ถ๋ ฅ
0x7469746c65 > title
0x696478 > idx