我的第一个 PHP

因为需要了解下 SQL 注入，就使用 PHP 自己写了一个只有一个网页的网站测试下，现在记录下过程。。。

直接使用的 KALI系统 (KALI官网：https://www.kali.org/)。KALI 是一个渗透测试的神器。集成了好多黑客工具，当然也就集成了许多开发所需的环境。

这里只涉及 MySQL 和 apache 

启动 MySQL :

root@kali:~# systemctl start mysql      //启动 mysql 服务root@kali:~# systemctl status mysql     //查看 mysql 状态

SQL 建表脚本(添加一些测试数据)：

MySQL样例数据库脚本：http://download.csdn.net/detail/freeking101/9915991

DROP SCHEMA IF EXISTS world;CREATE SCHEMA world;USE world;SET AUTOCOMMIT=0;---- Table structure for table `City`--DROP TABLE IF EXISTS `City`;CREATE TABLE `City` (  `ID` int(11) NOT NULL AUTO_INCREMENT,  `Name` char(35) NOT NULL DEFAULT '',  `CountryCode` char(3) NOT NULL DEFAULT '',  `District` char(20) NOT NULL DEFAULT '',  `Population` int(11) NOT NULL DEFAULT '0',  PRIMARY KEY (`ID`),  KEY `CountryCode` (`CountryCode`),  CONSTRAINT `city_ibfk_1` FOREIGN KEY (`CountryCode`) REFERENCES `Country` (`Code`)) ENGINE=InnoDB AUTO_INCREMENT=4080 DEFAULT CHARSET=latin1;---- Dumping data for table `City`---- ORDER BY:  `ID`INSERT INTO `City` VALUES (1,'Kabul','AFG','Kabol',1780000);INSERT INTO `City` VALUES (2,'Qandahar','AFG','Qandahar',237500);INSERT INTO `City` VALUES (3,'Herat','AFG','Herat',186800);INSERT INTO `City` VALUES (4,'Mazar-e-Sharif','AFG','Balkh',127800);INSERT INTO `City` VALUES (5,'Amsterdam','NLD','Noord-Holland',731200);INSERT INTO `City` VALUES (6,'Rotterdam','NLD','Zuid-Holland',593321);INSERT INTO `City` VALUES (7,'Haag','NLD','Zuid-Holland',440900);INSERT INTO `City` VALUES (8,'Utrecht','NLD','Utrecht',234323);INSERT INTO `City` VALUES (9,'Eindhoven','NLD','Noord-Brabant',201843);INSERT INTO `City` VALUES (10,'Tilburg','NLD','Noord-Brabant',193238);COMMIT;---- Table structure for table `Country`--DROP TABLE IF EXISTS `Country`;CREATE TABLE `Country` (  `Code` char(3) NOT NULL DEFAULT '',  `Name` char(52) NOT NULL DEFAULT '',  `Continent` enum('Asia','Europe','North America','Africa','Oceania','Antarctica','South America') NOT NULL DEFAULT 'Asia',  `Region` char(26) NOT NULL DEFAULT '',  `SurfaceArea` float(10,2) NOT NULL DEFAULT '0.00',  `IndepYear` smallint(6) DEFAULT NULL,  `Population` int(11) NOT NULL DEFAULT '0',  `LifeExpectancy` float(3,1) DEFAULT NULL,  `GNP` float(10,2) DEFAULT NULL,  `GNPOld` float(10,2) DEFAULT NULL,  `LocalName` char(45) NOT NULL DEFAULT '',  `GovernmentForm` char(45) NOT NULL DEFAULT '',  `HeadOfState` char(60) DEFAULT NULL,  `Capital` int(11) DEFAULT NULL,  `Code2` char(2) NOT NULL DEFAULT '',  PRIMARY KEY (`Code`)) ENGINE=InnoDB DEFAULT CHARSET=latin1;---- Dumping data for table `Country`---- ORDER BY:  `Code`INSERT INTO `Country` VALUES ('ABW','Aruba','North America','Caribbean',193.00,NULL,103000,78.4,828.00,793.00,'Aruba','Nonmetropolitan Territory of The Netherlands','Beatrix',129,'AW');INSERT INTO `Country` VALUES ('AFG','Afghanistan','Asia','Southern and Central Asia',652090.00,1919,22720000,45.9,5976.00,NULL,'Afganistan/Afqanestan','Islamic Emirate','Mohammad Omar',1,'AF');INSERT INTO `Country` VALUES ('AGO','Angola','Africa','Central Africa',1246700.00,1975,12878000,38.3,6648.00,7984.00,'Angola','Republic','Jos?Eduardo dos Santos',56,'AO');INSERT INTO `Country` VALUES ('AIA','Anguilla','North America','Caribbean',96.00,NULL,8000,76.1,63.20,NULL,'Anguilla','Dependent Territory of the UK','Elisabeth II',62,'AI');INSERT INTO `Country` VALUES ('ALB','Albania','Europe','Southern Europe',28748.00,1912,3401200,71.6,3205.00,2500.00,'Shqip雛ia','Republic','Rexhep Mejdani',34,'AL');INSERT INTO `Country` VALUES ('AND','Andorra','Europe','Southern Europe',468.00,1278,78000,83.5,1630.00,NULL,'Andorra','Parliamentary Coprincipality','',55,'AD');INSERT INTO `Country` VALUES ('ANT','Netherlands Antilles','North America','Caribbean',800.00,NULL,217000,74.7,1941.00,NULL,'Nederlandse Antillen','Nonmetropolitan Territory of The Netherlands','Beatrix',33,'AN');INSERT INTO `Country` VALUES ('ARE','United Arab Emirates','Asia','Middle East',83600.00,1971,2441000,74.1,37966.00,36846.00,'Al-Imarat al-碅rabiya al-Muttahida','Emirate Federation','Zayid bin Sultan al-Nahayan',65,'AE');INSERT INTO `Country` VALUES ('ARG','Argentina','South America','South America',2780400.00,1816,37032000,75.1,340238.00,323310.00,'Argentina','Federal Republic','Fernando de la R鷄',69,'AR');INSERT INTO `Country` VALUES ('ARM','Armenia','Asia','Middle East',29800.00,1991,3520000,66.4,1813.00,1627.00,'Hajastan','Republic','Robert Kot歛rjan',126,'AM');INSERT INTO `Country` VALUES ('ASM','American Samoa','Oceania','Polynesia',199.00,NULL,68000,75.1,334.00,NULL,'Amerika Samoa','US Territory','George W. Bush',54,'AS');COMMIT;---- Table structure for table `CountryLanguage`--DROP TABLE IF EXISTS `CountryLanguage`;CREATE TABLE `CountryLanguage` (  `CountryCode` char(3) NOT NULL DEFAULT '',  `Language` char(30) NOT NULL DEFAULT '',  `IsOfficial` enum('T','F') NOT NULL DEFAULT 'F',  `Percentage` float(4,1) NOT NULL DEFAULT '0.0',  PRIMARY KEY (`CountryCode`,`Language`),  KEY `CountryCode` (`CountryCode`),  CONSTRAINT `countryLanguage_ibfk_1` FOREIGN KEY (`CountryCode`) REFERENCES `Country` (`Code`)) ENGINE=InnoDB DEFAULT CHARSET=latin1;---- Dumping data for table `CountryLanguage`---- ORDER BY:  `CountryCode`,`Language`INSERT INTO `CountryLanguage` VALUES ('ABW','Dutch','T',5.3);INSERT INTO `CountryLanguage` VALUES ('ABW','English','F',9.5);INSERT INTO `CountryLanguage` VALUES ('ABW','Papiamento','F',76.7);INSERT INTO `CountryLanguage` VALUES ('ABW','Spanish','F',7.4);INSERT INTO `CountryLanguage` VALUES ('AFG','Balochi','F',0.9);INSERT INTO `CountryLanguage` VALUES ('AFG','Dari','T',32.1);INSERT INTO `CountryLanguage` VALUES ('AFG','Pashto','T',52.4);INSERT INTO `CountryLanguage` VALUES ('AFG','Turkmenian','F',1.9);INSERT INTO `CountryLanguage` VALUES ('AFG','Uzbek','F',8.8);INSERT INTO `CountryLanguage` VALUES ('AGO','Ambo','F',2.4);INSERT INTO `CountryLanguage` VALUES ('AGO','Chokwe','F',4.2);COMMIT;SET AUTOCOMMIT=1;

启动 apache

root@kali:~# systemctl start apache2root@kali:~# systemctl status apache2

apache 的默认主页是  /var/www/html/index.html。直接访问 http://localhost/index.html 

修改 index.html 为 index.php

index.php 内容如下： （数据库连接部分参考：https://www.runoob.com/php/php-pdo.html）

<?php ini_set("display_errors", "On");error_reporting(E_ALL | E_STRICT);print('Hello '); // 输出 "Hello " 并且没有换行符echo "World\n";  // 输出 "World" 并且换行echo "<br />";echo "<hr />";echo '<p align="center">DataBase connect test</p>';$dbms='mysql';      //数据库类型$host='127.0.0.1';  //数据库主机名$dbName='world';    //使用的数据库$user='root';       //数据库连接用户名$pass='';           //对应的密码$dsn="$dbms:host=$host;dbname=$dbName";try {    // 连接到数据库    $dbh = new PDO($dsn, $user, $pass);      $dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);      $dbh->exec('set names utf8');     echo "连接成功<br/>";    // sql 语句    $strsql="SELECT id,name,countrycode FROM `City` LIMIT 5";    //你还可以进行一次搜索操作    foreach ($dbh->query($strsql) as $row) {        //print_r($row); //你可以用 echo($GLOBAL); 来看到这些值        echo "id: {$row['id']}        ";        echo "name: {$row['name']}        ";        echo "countrycode: {$row['countrycode']}        ";        echo "<br />";    }    $dbh = null;} catch (PDOException $e) {    die ("Error!: " . $e->getMessage() . "<br/>");}?><br /><hr /><p align="center">input test</p><form><div>Input Query ID:<input type="text" name="search" style="width:60%;" ><input type="submit" name="submit" value="Search" ><br /><br />SQL Query String : <?phpif(isset($_GET['submit'])) {$val = $_GET['search'];$str_sql = "SELECT id,name,countrycode FROM City where id = $val";echo "<b>$str_sql</b>";echo "<br />";$dbms='mysql';      //数据库类型$host='127.0.0.1';  //数据库主机名$dbName='world';    //使用的数据库$user='root';       //数据库连接用户名$pass='';           //对应的密码$dsn="$dbms:host=$host;dbname=$dbName";try {    // 连接到数据库    $dbh = new PDO($dsn, $user, $pass);      $dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);      $dbh->exec('set names utf8');         echo "<br /><br />";    // 遍历    foreach ($dbh->query($str_sql) as $row)     {        //print_r($row);           //你可以用 echo($GLOBAL); 来看到这些值    echo '<table border="1">';    echo "<tr>";    echo "<td>";        echo "id: {$row['id']}        ";        echo "</td>";        echo "<td>";        echo "name: {$row['name']}        ";        echo "</td>";        echo "<td>";        echo "countrycode: {$row['countrycode']}        ";        echo "</td>";        echo "</tr>";        echo "</table>";    }    $dbh = null;} catch (PDOException $e) {    die ("Error!: " . $e->getMessage() . "<br/>");}}else{echo "please input the number ID !!!";}?></div></form>

浏览器直接访问：http://localhost/index.php

mysql 数据库中结果

到此，我的第一个 php 程序结束。。。。。

一个 简单的 SQL 注入验证

输入要查询的 ID (数字)，点击 search 按钮，注意 浏览器 url 变化，传递一个参数 search=1 。然后下面显示查询结果。

现在修改 URL 传递的参数。

修改后的 URL 为 ：http://localhost/index.php?search=1 or '1'='1'&submit=Search

再来一个复杂点的 SQL 注入验证:

URL：http://localhost/index.php?search=1 union select code,name,region from Country LIMIT 5;&submit=Search

一个读取文件的 SQL 注入

至此，一个简单的 SQL 注入验证完成。SQL 注入不止这些东西，以后慢慢学习研究。。。

SQL注入攻击与防御 第二版：http://download.csdn.net/detail/hx0_0_8/9284595