sql和shell注入测试
1.整数型参数，必须intval转义,用addslashes转义不行
<?php
$test = $_REQUEST["test"];
$test = addslashes($test);
$sql =" select * from tbl1 where id=$test";
print $sql;


//输入test=1 or 1=1 得到 select * from tbl1 where id=1 or 1=1被注入
?>


<?php
$test = $_REQUEST["test"];
$test = intval($test);
$sql =" select * from tbl1 where id=$test";
print $sql;


//输入 test=1 or 1=1 得到 select * from tbl1 where id=1
?>
2.字符串型参数，必须addslashes转义
<?php
$test = $_REQUEST["test"];
$sql =" select * from tbl1 where xxx='$test'";
print $sql;


//输入 test=1 or 1=1 得到 select * from tbl1 where xxx='1' or 1=1' 被注入
?>


<?php
$test = $_REQUEST["test"];
$test = addslashes($test);
$sql =" select * from tbl1 where xxx='$test'";
print $sql;


//输入 test=1 or 1=1 得到 select * from tbl1 where xxx='1\' or 1=1'
?>
3.执行系统命令的，必须 escapeshellarg 转义
<?php
$test = $_REQUEST["test"];
$cmd ="host ".$test;
print $cmd;


//输入test=www.baidu.com%26%26uname 得到 host www.baidu.com&&uname ,越界命令被执行了
?>


<?php
$test = $_REQUEST["test"];
$test = addslashes($test);
$cmd ="host ".$test;
print $cmd;


//输入test=www.baidu.com%26%26uname 得到 host www.baidu.com&&uname ,越界命令被执行了，addslashes不能防护shell注入
?>


<?php
$test = $_REQUEST["test"];
$test = escapeshellarg($test);
$cmd ="host ".$test;
print $cmd;


//输入test=www.baidu.com%26%26uname 得到 host "www.baidu.com&&uname"
?>