<!-- If the browser does not support frames put the first topic content here --> <div class="WordSection1"> <p class="MsoNormal" style= 'margin-top:22.5pt;text-align:justify;line-height: normal;background:white'> <b><span style= 'font-size:21.0pt;font-family:"Arial",sans-serif; color:#1A2856;letter-spacing:-.75pt'> Rappel sur le concept d'injection SQL</span></b></p> <p class="MsoNormal" style= 'margin-top:3.75pt;text-align:justify;line-height: normal;background:white'> <span style= 'font-size:11.5pt;font-family:"Arial",sans-serif; color:#212529;letter-spacing:-.75pt'> L'idée est de parvenir à créer un script </span><b><span style='font-size:11.5pt;font-family:"Arial",sans-serif; color:#007BFF;letter-spacing:-.75pt'><a href="https://analyse-innovation-solution.fr/publications/php" target="_blank" title="PHP"><span style= 'color:#007BFF;text-decoration:none'>PHP</span></a></span></b><span style='font-size:11.5pt;font-family:"Arial",sans-serif;color:#212529; letter-spacing:-.75pt'> (avec l'objet <b>PDO</b> pour interroger une base de données <b>MySQL</b>) qui ne sera pas perméable aux techniques permettant de réaliser des attaques par </span><b><span style= 'font-size: 11.5pt;font-family:"Arial",sans-serif;color:#007BFF;letter-spacing:-.75pt'><a href="https://analyse-innovation-solution.fr/publication/fr/hacking/injection-sql-sqli-dorks" target="_blank" title="injection SQL"><span style= 'color:#007BFF;text-decoration: none'>injection SQL</span></a></span></b><span style= 'font-size:11.5pt; font-family:"Arial",sans-serif;color:#212529;letter-spacing:-.75pt'>.</span></p> <p class="MsoNormal" style= 'margin-top:3.75pt;text-align:justify;line-height: normal;background:white'> <span style= 'font-size:11.5pt;font-family:"Arial",sans-serif; color:#212529;letter-spacing:-.75pt'> L'</span><span style= 'font-size: 11.5pt;font-family:"Arial",sans-serif;color:#007BFF;letter-spacing:-.75pt'><a href="https://analyse-innovation-solution.fr/publication/fr/hacking/injection-sql-sqli-dorks" target="_blank" title="Injection SQL"><span style= 'color:#007BFF;text-decoration: none'>injection SQL</span></a></span><span style= 'font-size:11.5pt;font-family: "Arial",sans-serif;color:#212529;letter-spacing:-.75pt'>, est possible uniquement quand une requête est générée à partir de données fournies par un utilisateur. Données utilisées directement pour construire tout ou partie d'une requête </span><b><span style= 'font-size:11.5pt;font-family:"Arial",sans-serif; color:#007BFF;letter-spacing:-.75pt'><a href="https://analyse-innovation-solution.fr/publications/sql"><span style='color:#007BFF;text-decoration:none'>SQL</span><span style='color:#007BFF; font-weight:normal;text-decoration:none'> </span></a></span></b><span style='font-size:11.5pt;font-family:"Arial",sans-serif;color:#212529; letter-spacing:-.75pt'>(insert, update, jointure, conditions de filtrages, de regroupement). </span></p> <p class="MsoNormal" style= 'margin-bottom:0cm;margin-bottom:.0001pt;text-align: justify;line-height:normal;background:#FFF3CD'> <span style= 'font-size:11.5pt; font-family:"Arial",sans-serif;color:#856404;letter-spacing:-.75pt'> La technique d'<b>injection SQL</b> la plus courante vise à forcer l'analyseur de requête SQL à ignorer le reste de la requête en utilisant les symboles de mise en commentaires.</span></p> <p class="MsoNormal" style= 'margin-top:3.75pt;text-align:justify;line-height: normal;background:white'> <span style= 'font-size:11.5pt;font-family:"Arial",sans-serif; color:#212529;letter-spacing:-.75pt'> </span></p> <p class="MsoNormal" style= 'margin-top:22.5pt;text-align:justify;line-height: normal;background:white'> <b><span style= 'font-size:21.0pt;font-family:"Arial",sans-serif; color:#1A2856;letter-spacing:-.75pt'> Les injections SQL (<a href= "https://analyse-innovation-solution.fr/publication/fr/hacking/injection-sql-sqli-dorks"><span style='color:#007BFF;text-decoration:none'>SQLi</span></a>)</span></b></p> <p class="MsoNormal" style= 'margin-bottom:0cm;margin-bottom:.0001pt;text-align: justify;line-height:20.8pt;background:white'> <span style= 'font-size:11.5pt; font-family:"Arial",sans-serif;color:#212529;letter-spacing:-.75pt'> L'attaque par </span><b><span style= 'font-size:11.5pt;font-family:"Arial",sans-serif; color:#007BFF;letter-spacing:-.75pt'><a href="https://analyse-innovation-solution.fr/publication/fr/hacking/injection-sql-sqli-dorks" title="Injection SQL"><span style= 'color:#007BFF;text-decoration:none'>injection SQL</span><span style= 'color:#007BFF;font-weight:normal;text-decoration:none'> (SQLi)</span></a></span></b><span style='font-size:11.5pt;font-family:"Arial",sans-serif;color:#212529; letter-spacing:-.75pt'> est un ensemble de techniques qui permettent à un attaquant d'utiliser une faiblesse dans le code développé, avec pour objectif de détourner l'utilisation prévue d'une requête SQL dans son contexte applicatif. La finalité étant d'injecter tout ou fragment d'une requête SQL dans la requête qui doit normalement s'exécuter à un instant T de l'application (exemple : identification, suppression de compte, …).</span></p> <p class="MsoNormal" style= 'margin-top:3.75pt;text-align:justify;line-height: normal;background:white'> <span style= 'font-size:11.5pt;font-family:"Arial",sans-serif; color:#212529;letter-spacing:-.75pt'> Typiquement toute exécution d'une requête SQL qui attribue directement des valeurs par concaténation et/ou qui utilise directement des variables provenant directement du front sans aucun traitement crée cette faille dans son code. En </span><b><span style= 'font-size:11.5pt; font-family:"Arial",sans-serif;color:#007BFF;letter-spacing:-.75pt'><a href="https://analyse-innovation-solution.fr/publications/php" target="_blank" title="Php"><span style= 'color:#007BFF;text-decoration:none'>PHP</span></a></span></b><span style='font-size:11.5pt;font-family:"Arial",sans-serif;color:#212529; letter-spacing:-.75pt'> une requête SQL avec cette faille se présente de la manière suivante :</span></p> <p class="MsoNormal" style= 'margin-top:6.0pt;margin-right:0cm;margin-bottom:12.0pt; margin-left:0cm;line-height:normal;background:#FDFDFD'> <span style= 'font-size: 11.5pt;font-family:Consolas;color:#A67F59;letter-spacing:-.75pt'> $Pdo_Object-></span><span style= 'font-size:11.5pt;font-family:Consolas;color:#2F9C0A;letter-spacing:-.75pt'>query</span><span style='font-size:11.5pt;font-family:Consolas;color:#5F6364;letter-spacing:-.75pt'>(</span><span style='font-size:11.5pt;font-family:Consolas;color:#2F9C0A;letter-spacing:-.75pt'>'SELECT * FROM users WHERE login= '</span> <span style= 'font-size: 11.5pt;font-family:Consolas;color:#5F6364;letter-spacing:-.75pt'> .</span><span style= 'font-size:11.5pt;font-family:Consolas;color:black;letter-spacing:-.75pt'>$_POST</span><span style='font-size:11.5pt;font-family:Consolas;color:#5F6364; letter-spacing:-.75pt'>[</span><span style='font-size:11.5pt;font-family:Consolas; color:#2F9C0A;letter-spacing:-.75pt'>'login'</span><span style='font-size:11.5pt; font-family:Consolas;color:#5F6364;letter-spacing:-.75pt'>]</span><span style='font-size:11.5pt;font-family:Consolas;color:#5F6364; letter-spacing:-.75pt'>.</span> <span style= 'font-size:11.5pt; font-family:Consolas;color:#2F9C0A;letter-spacing:-.75pt'> ' AND password='</span><span style= 'font-size:11.5pt;font-family:Consolas;color:#5F6364;letter-spacing:-.75pt'>.</span><span style='font-size:11.5pt;font-family:Consolas;color:black;letter-spacing:-.75pt'>$_POST</span><span style='font-size:11.5pt;font-family:Consolas;color:#5F6364; letter-spacing:-.75pt'>[</span><span style='font-size:11.5pt;font-family:Consolas; color:#2F9C0A;letter-spacing:-.75pt'>'password'</span><span style='font-size: 11.5pt;font-family:Consolas;color:#5F6364;letter-spacing:-.75pt'>]</span><span style='font-size:11.5pt;font-family:Consolas;color:#5F6364; letter-spacing:-.75pt'>.</span><span style='font-size:11.5pt;font-family:Consolas; color:black;letter-spacing:-.75pt'>'</span><span style='font-size:11.5pt; font-family:Consolas;color:#5F6364;letter-spacing:-.75pt'>);</span></p> <p class="MsoNormal" style= 'margin-bottom:0cm;margin-bottom:.0001pt;text-align: justify;line-height:normal;background:white'> <span style= 'font-size:11.5pt; font-family:"Arial",sans-serif;color:#212529;letter-spacing:-.75pt'> </span></p> <p class="MsoNormal" style= 'margin-top:3.75pt;text-align:justify;line-height: normal;background:white'> <span style= 'font-size:11.5pt;font-family:"Arial",sans-serif; color:#212529;letter-spacing:-.75pt'> Si un utilisateur mal intentionné assigne à la valeur </span><span style= 'font-size:10.0pt;font-family:Consolas; color:#E83E8C;letter-spacing:-.75pt'>$_POST['login']</span><span style='font-size:11.5pt;font-family:"Arial",sans-serif;color:#212529; letter-spacing:-.75pt'> la valeur :</span><span style= 'font-size:10.0pt; font-family:Consolas;color:#E83E8C;letter-spacing:-.75pt'> "admin';--"</span><span style='font-size:11.5pt;font-family:"Arial",sans-serif;color:#212529; letter-spacing:-.75pt'> alors la concaténation du PHP génèrera une requête SQL qui ne tiendra pas compte du mot de passe.</span></p> <p class="MsoNormal" style= 'margin-top:3.75pt;text-align:justify;line-height: normal;background:white'> <span style= 'font-size:11.5pt;font-family:"Arial",sans-serif; color:#212529;letter-spacing:-.75pt'> On parle de perméabilité aux injections SQL.</span></p> <b><span style= 'font-size:21.0pt;line-height:107%;font-family:"Arial",sans-serif; color:#1A2856;letter-spacing:-.75pt'><br clear="all" style='page-break-before: always' /></span></b> <p class="MsoNormal"><b><span style= 'font-size:21.0pt;line-height:107%; font-family:"Arial",sans-serif;color:#1A2856;letter-spacing:-.75pt'> </span></b></p> <p class="MsoNormal" style= 'margin-top:22.5pt;text-align:justify;line-height: normal;background:white'> <b><span style= 'font-size:21.0pt;font-family:"Arial",sans-serif; color:#1A2856;letter-spacing:-.75pt'> Concept de protection contre les </span></b><b><span style= 'font-size:21.0pt;font-family:"Arial",sans-serif;color:#007BFF; letter-spacing:-.75pt'><a href="https://analyse-innovation-solution.fr/publication/fr/hacking/injection-sql-sqli-dorks"><span style='color:#007BFF;text-decoration:none'>injections SQL</span></a></span></b></p> <p class="MsoNormal" style= 'margin-bottom:0cm;margin-bottom:.0001pt;text-align: justify;line-height:normal;background:#FFF3CD'> <b><span style= 'font-size:11.5pt; font-family:"Font Awesome 5 Free",serif;color:#856404;letter-spacing:-.75pt'> </span></b><span style= 'font-size:11.5pt;font-family:"Arial",sans-serif;color:#856404; letter-spacing:-.75pt'>La sécurisation doit s'effectuer sur plusieurs niveaux pour limiter la surface d'attaque.</span></p> <p class="MsoNormal" style= 'margin-top:22.5pt;text-align:justify;line-height: normal;background:white'> <b><span style= 'font-size:18.0pt;font-family:"Arial",sans-serif; color:#1A2856;letter-spacing:-.75pt'> Premier niveau de lutte contre les </span></b><b><span style= 'font-size:18.0pt;font-family:"Arial",sans-serif;color:#007BFF; letter-spacing:-.75pt'><a href="https://analyse-innovation-solution.fr/publication/fr/hacking/injection-sql-sqli-dorks"><span style='color:#007BFF;text-decoration:none'>injections SQL</span></a></span></b><b><span style= 'font-size:18.0pt;font-family:"Arial",sans-serif;color:#1A2856; letter-spacing:-.75pt'>, les droits SQL de l'utilisateur</span></b></p> <p class="MsoNormal" style= 'margin-top:3.75pt;text-align:justify;line-height: normal;background:white'> <span style= 'font-size:11.5pt;font-family:"Arial",sans-serif; color:#212529;letter-spacing:-.75pt'> Dans un schéma idéal de sécurisation, il devrait systématiquement y avoir deux connexions SQL, une, utilisée pour accéder aux ressources en lecture, et une seconde en écriture. Chacune avec le minimum de droit requis pour les besoins de l'application. Ce modèle de sécurisation permet de limiter la portée de chaque <b>injection SQL</b> possible. Cette stratégie n'est pas toujours possible (limite de l'hébergement), et à défaut, le compte utilisateur utilisé devrait avoir les accès minimums nécessaires au fonctionnement de l'application.</span></p> <p class="MsoNormal" style= 'margin-top:22.5pt;text-align:justify;line-height: normal;background:white'> <b><span style= 'font-size:18.0pt;font-family:"Arial",sans-serif; color:#1A2856;letter-spacing:-.75pt'> Second niveau de protection contre les </span></b><b><span style= 'font-size:18.0pt;font-family:"Arial",sans-serif; color:#007BFF;letter-spacing:-.75pt'><a href="https://analyse-innovation-solution.fr/publication/fr/hacking/injection-sql-sqli-dorks"><span style='color:#007BFF;text-decoration:none'>injections SQL</span></a></span></b><b><span style= 'font-size:18.0pt;font-family:"Arial",sans-serif;color:#1A2856; letter-spacing:-.75pt'>, la couche d'accès aux données</span></b></p> <p class="MsoNormal" style= 'margin-top:3.75pt;text-align:justify;line-height: normal;background:white'> <span style= 'font-size:11.5pt;font-family:"Arial",sans-serif; color:#212529;letter-spacing:-.75pt'> Dans une architecture MVC ou trois tiers, la DAL (data access layer) est l'objet qui permet de s'interfacer avec la base de données pour exécuter les requêtes SQL (exemple : l'objet <b>PDO en PHP</b>). Elle devrait systématiquement être intégrée dans les applicatifs via un wrapper (surcouche logicielle) qui réaliserait des préparations des requêtes avant leur exécution de manière à garantir que <b>100% des requêtes sont utilisées via une requête préparée</b>.</span></p> <p class="MsoNormal" style= 'margin-top:22.5pt;text-align:justify;line-height: normal;background:white'> <b><span style= 'font-size:18.0pt;font-family:"Arial",sans-serif; color:#1A2856;letter-spacing:-.75pt'> Troisième niveau de défense contre les </span></b><b><span style= 'font-size:18.0pt;font-family:"Arial",sans-serif; color:#007BFF;letter-spacing:-.75pt'><a href="https://analyse-innovation-solution.fr/publication/fr/hacking/injection-sql-sqli-dorks"><span style='color:#007BFF;text-decoration:none'>injections SQL</span></a></span></b><b><span style= 'font-size:18.0pt;font-family:"Arial",sans-serif;color:#1A2856; letter-spacing:-.75pt'>, le modèle / l'objet relationnel</span></b></p> <p class="MsoNormal" style= 'margin-top:3.75pt;text-align:justify;line-height: normal;background:white'> <span style= 'font-size:11.5pt;font-family:"Arial",sans-serif; color:#212529;letter-spacing:-.75pt'> Toujours dans le cadre d'une architecture professionnelle, les données émanant de la base de données ou d'un formulaire, devraient passer par un objet relationnel qui réaliserait les contrôles et les transcodages nécessaires, sur le format des données attendues (ou à défaut retourner une valeur prédéfinie, voir annuler le traitement) de manière à garantir le typage et le format des données.</span></p> <p class="MsoNormal" style= 'margin-top:22.5pt;text-align:justify;line-height: normal;background:white'> <b><span style= 'font-size:18.0pt;font-family:"Arial",sans-serif; color:#1A2856;letter-spacing:-.75pt'> Quatrième et dernière ligne de défense contre les </span></b><b><span style= 'font-size:18.0pt;font-family:"Arial",sans-serif; color:#007BFF;letter-spacing:-.75pt'><a href="https://analyse-innovation-solution.fr/publication/fr/hacking/injection-sql-sqli-dorks"><span style='color:#007BFF;text-decoration:none'>injections SQL</span></a></span></b><b><span style= 'font-size:18.0pt;font-family:"Arial",sans-serif;color:#1A2856; letter-spacing:-.75pt'>, les données du front</span></b></p> <p class="MsoNormal" style= 'margin-top:3.75pt;text-align:justify;line-height: normal;background:white'> <span style= 'font-size:11.5pt;font-family:"Arial",sans-serif; color:#212529;letter-spacing:-.75pt'> Les données qui proviennent du front que ce soit un formulaire utilisateur ou une API exposée doivent être immédiatement "nettoyées" puis contrôlées, pour répondre au format attendu par rapport à leur nom de paramètre. (ex : un paramètre « id » attend exclusivement un entier supérieur à zéro, mais rien d'autre). Seules les données "sécurisées" devraient être utilisées dans la suite du flux d'exécution de l'application.</span></p> <b><span style= 'font-size:21.0pt;line-height:107%;font-family:"Arial",sans-serif; color:#1A2856;letter-spacing:-.75pt'><br clear="all" style='page-break-before: always' /></span></b> <p class="MsoNormal"><b><span style= 'font-size:21.0pt;line-height:107%; font-family:"Arial",sans-serif;color:#1A2856;letter-spacing:-.75pt'> </span></b></p> <p class="MsoNormal" style= 'margin-top:22.5pt;text-align:justify;line-height: normal;background:white'> <b><span style= 'font-size:21.0pt;font-family:"Arial",sans-serif; color:#1A2856;letter-spacing:-.75pt'> L'objet PHP Data Object (PDO)</span></b></p> <p class="MsoNormal" style= 'margin-top:3.75pt;text-align:justify;line-height: normal;background:white'> <span style= 'font-size:11.5pt;font-family:"Arial",sans-serif; color:#212529;letter-spacing:-.75pt'> En </span><b><span style= 'font-size: 11.5pt;font-family:"Arial",sans-serif;color:#007BFF;letter-spacing:-.75pt'><a href="https://analyse-innovation-solution.fr/publications/sql"><span style='color:#007BFF;text-decoration:none'>PHP</span></a></span></b><span style='font-size:11.5pt;font-family:"Arial",sans-serif;color:#212529; letter-spacing:-.75pt'>, l'objet <b>PDO</b> est une classe qui permet de s'interfacer avec une base de données ici en <b>MySQL</b> pour communiquer avec elle via des requêtes SQL. Une bonne pratique dans sa mise en œuvre protège efficacement les applications contre les risques d'<b>injection SQL</b>.</span></p> <p class="MsoNormal" style= 'margin-top:22.5pt;text-align:justify;line-height: normal;background:white'> <b><span style= 'font-size:18.0pt;font-family:"Arial",sans-serif; color:#1A2856;letter-spacing:-.75pt'> Définition du pilote de SGBD pour utiliser PHP PDO en MySQL</span></b></p> <p class="MsoNormal" style= 'margin-top:3.75pt;text-align:justify;line-height: normal;background:white'> <span style= 'font-size:11.5pt;font-family:"Arial",sans-serif; color:#212529;letter-spacing:-.75pt'> Pour définir le pilote à utiliser (<b>MySql</b>,PostGr,etc) par le serveur qui héberge votre instance de <b>PHP</b> il suffit de se rendre dans le fichier php.ini et d'ajouter (ou de modifier) la ligne extension (ici pour <b>MySQL</b>)</span></p> <p class="MsoNormal" style= 'margin-top:3.75pt;text-align:justify;line-height: normal;background:white'> <span style= 'font-size:10.0pt;font-family:Consolas; color:#E83E8C;letter-spacing:-.75pt'> extension = php_pdo_mysql.dll</span></p> <p class="MsoNormal" align="center" style= 'margin-top:3.75pt;margin-right:0cm; margin-bottom:0cm;margin-left:0cm;margin-bottom:.0001pt;text-align:center; line-height:normal;background:white'> <span style= 'font-size:11.5pt;font-family: "Arial",sans-serif;color:#212529;letter-spacing:-.75pt'> Avec Wamp :</span></p> <p class="MsoNormal" align="center" style= 'margin-top:3.75pt;text-align:center; line-height:normal;background:white'> <span style= 'position:absolute;z-index: 251659264;left:0px;margin-left:374px;margin-top:742px;width:60px;height:12px'> <img width="48" height="10" src="php_pdo_fichiers/image001.png" alt="image" /></span><img border="0" width="98" height="243" id= "Image 1" src="php_pdo_fichiers/image002.jpg" alt="image" name= "Image 1" /></p> <p class="MsoNormal" style= 'margin-top:22.5pt;text-align:justify;line-height: normal;background:white'> <b><span style= 'font-size:18.0pt;font-family:"Arial",sans-serif; color:#1A2856;letter-spacing:-.75pt'> Constructeur de l'objet PDO en PHP et chaîne de connexion pour MySQL</span></b></p> <p class="MsoNormal" style= 'margin-top:3.75pt;text-align:justify;line-height: normal;background:white'> <span style= 'font-size:11.5pt;font-family:"Arial",sans-serif; color:#212529;letter-spacing:-.75pt'> Pour initialiser notre objet <b>PDO</b> dans le code <b>PHP </b>(à noter que la chaine de connexion dépend du moteur de sgbd utilisé).</span></p> <p class="MsoNormal" style= 'margin-top:3.75pt;text-align:justify;line-height: normal;background:white'> <span style= 'font-size:11.5pt;font-family:"Arial",sans-serif; color:#212529;letter-spacing:-.75pt'> On lui soumet les différentes informations :</span></p> <ol start="1" type="1"> <li class="MsoNormal" style= 'color:#212529;text-align:justify;line-height:normal; background:white'> <span style= 'font-size:11.5pt;font-family:"Arial",sans-serif; letter-spacing:-.75pt'> host : l'adresse ip ou l'adresse dns du serveur cible hébergeant la base de donnée <b>MySQL</b></span></li> <li class="MsoNormal" style= 'color:#212529;text-align:justify;line-height:normal; background:white'> <span style= 'font-size:11.5pt;font-family:"Arial",sans-serif; letter-spacing:-.75pt'> dbname : le nom de la base que l'on souhaite interroger.</span></li> <li class="MsoNormal" style= 'color:#212529;text-align:justify;line-height:normal; background:white'> <span style= 'font-size:11.5pt;font-family:"Arial",sans-serif; letter-spacing:-.75pt'> user : à remplacer par votre profil utilisateur</span></li> <li class="MsoNormal" style= 'color:#212529;text-align:justify;line-height:normal; background:white'> <span style= 'font-size:11.5pt;font-family:"Arial",sans-serif; letter-spacing:-.75pt'> password : à remplacer par le mot de passe du profil utilisateur utilisé</span></li> <li class="MsoNormal" style= 'color:#212529;text-align:justify;line-height:normal; background:white'> <span style= 'font-size:11.5pt;font-family:"Arial",sans-serif; letter-spacing:-.75pt'> PDO::ATTR_ERRMODE : demande une erreur typée PDOException si une erreur survient</span></li> </ol> <p class="MsoNormal" style= 'margin-top:6.0pt;margin-right:0cm;margin-bottom:12.0pt; margin-left:0cm;line-height:normal;background:#FDFDFD'> <span style= 'font-size: 11.5pt;font-family:Consolas;color:#A67F59;letter-spacing:-.75pt'> $Pdo_Object</span><span style= 'font-size:11.5pt;font-family:Consolas;color:#A67F59; letter-spacing:-.75pt'>=</span> <span style= 'font-size:11.5pt; font-family:Consolas;color:#1990B8;letter-spacing:-.75pt'> new</span><span style= 'font-size:11.5pt;font-family:Consolas;color:#1990B8; letter-spacing:-.75pt'>PDO</span><span style='font-size:11.5pt;font-family: Consolas;color:#5F6364;letter-spacing:-.75pt'>(</span><span style='font-size: 11.5pt;font-family:Consolas;color:#2F9C0A;letter-spacing:-.75pt'>"mysql:host=127.0.0.1;dbname=DataBase"</span><span style='font-size:11.5pt;font-family:Consolas;color:#5F6364;letter-spacing:-.75pt'>,</span><span style='font-size:11.5pt;font-family:Consolas;color:#2F9C0A;letter-spacing:-.75pt'>"user"</span><span style='font-size:11.5pt;font-family:Consolas;color:#5F6364;letter-spacing:-.75pt'>,</span><span style='font-size:11.5pt;font-family:Consolas;color:#2F9C0A;letter-spacing:-.75pt'>"password"</span><span style='font-size:11.5pt;font-family:Consolas;color:#5F6364;letter-spacing:-.75pt'>,</span><span style='font-size:11.5pt;font-family:Consolas;color:#1990B8;letter-spacing:-.75pt'>array</span><span style='font-size:11.5pt;font-family:Consolas;color:#5F6364;letter-spacing:-.75pt'>(</span><span style='font-size:11.5pt;font-family:Consolas;color:black;letter-spacing:-.75pt'>PDO</span><span style='font-size:11.5pt;font-family:Consolas;color:#5F6364;letter-spacing:-.75pt'>::</span><span style='font-size:11.5pt;font-family:Consolas;color:#C92C2C;letter-spacing:-.75pt'>ATTR_ERRMODE</span><span style='font-size:11.5pt;font-family:Consolas;color:#A67F59; letter-spacing:-.75pt'>=></span> <span style= 'font-size:11.5pt;font-family: Consolas;color:black;letter-spacing:-.75pt'> PDO</span><span style= 'font-size: 11.5pt;font-family:Consolas;color:#5F6364;letter-spacing:-.75pt'>::</span><span style='font-size:11.5pt;font-family:Consolas;color:#C92C2C;letter-spacing:-.75pt'>ERRMODE_EXCEPTION</span><span style='font-size:11.5pt;font-family:Consolas;color:#5F6364; letter-spacing:-.75pt'>));</span></p> <p class="MsoNormal" style= 'margin-top:22.5pt;text-align:justify;line-height: normal;background:white'> <b><span style= 'font-size:18.0pt;font-family:"Arial",sans-serif; color:#1A2856;letter-spacing:-.75pt'> Inutile d'ouvrir la connexion à la base de données MySQL avec PDO en </span></b><b><span style= 'font-size:18.0pt; font-family:"Arial",sans-serif;color:#007BFF;letter-spacing:-.75pt'><a href="https://analyse-innovation-solution.fr/publications/sql"><span style='color:#007BFF;text-decoration:none'>PHP</span></a></span></b></p> <p class="MsoNormal" style= 'margin-top:3.75pt;text-align:justify;line-height: normal;background:white'> <span style= 'font-size:11.5pt;font-family:"Arial",sans-serif; color:#212529;letter-spacing:-.75pt'> L'objet <b>PDO</b> de <b>PHP</b> ne nécessite pas d'ouvrir explicitement la connexion à la base de données <b>MySQL</b> avant de pouvoir communiquer avec elle. Cette connexion étant nativement établie à partir de l'initialisation de <b>l'objet PDO de PHP</b>.</span></p> <p class="MsoNormal" style= 'margin-top:22.5pt;text-align:justify;line-height: normal;background:white'> <b><span style= 'font-size:18.0pt;font-family:"Arial",sans-serif; color:#1A2856;letter-spacing:-.75pt'> Fermer la connexion à la base MySQL en PHP avec PDO</span></b></p> <p class="MsoNormal" style= 'margin-top:3.75pt;text-align:justify;line-height: normal;background:white'> <span style= 'font-size:11.5pt;font-family:"Arial",sans-serif; color:#212529;letter-spacing:-.75pt'> Pour fermer la connexion à la base de données <b>MySQL</b> il suffit de rendre null l'objet <b>PDO</b> précédemment créer dans notre script </span><b><span style= 'font-size:11.5pt; font-family:"Arial",sans-serif;color:#007BFF;letter-spacing:-.75pt'><a href="https://analyse-innovation-solution.fr/publications/sql"><span style='color:#007BFF;text-decoration:none'>PHP</span></a></span></b><span style='font-size:11.5pt;font-family:"Arial",sans-serif;color:#212529; letter-spacing:-.75pt'>.</span></p> <p class="MsoNormal" style= 'margin-top:6.0pt;margin-right:0cm;margin-bottom:12.0pt; margin-left:0cm;line-height:normal;background:#FDFDFD'> <span style= 'font-size: 11.5pt;font-family:Consolas;color:#A67F59;letter-spacing:-.75pt'> $Pdo_Object</span><span style= 'font-size:11.5pt;font-family:Consolas;color:#A67F59; letter-spacing:-.75pt'>=</span> <span style= 'font-size:11.5pt; font-family:Consolas;color:#C92C2C;letter-spacing:-.75pt'> null</span><span style= 'font-size:11.5pt;font-family:Consolas;color:#5F6364;letter-spacing:-.75pt'>;</span></p> <p class="MsoNormal" style= 'margin-top:22.5pt;text-align:justify;line-height: normal;background:white'> <b><span style= 'font-size:18.0pt;font-family:"Arial",sans-serif; color:#1A2856;letter-spacing:-.75pt'> Les requêtes MySQL en PHP avec PDO</span></b></p> <p class="MsoNormal" style= 'margin-top:3.75pt;text-align:justify;line-height: normal;background:white'> <span style= 'font-size:11.5pt;font-family:"Arial",sans-serif; color:#212529;letter-spacing:-.75pt'> Pour exécuter une requête "classique" en <b>MySQL</b>, on déclare la requête dans le </span><b><span style= 'font-size:11.5pt;font-family:"Arial",sans-serif;color:#007BFF; letter-spacing:-.75pt'><a href="https://analyse-innovation-solution.fr/publications/sql"><span style='color:#007BFF;text-decoration:none'>PHP</span></a></span></b><b><span style='font-size:11.5pt;font-family:"Arial",sans-serif;color:#212529; letter-spacing:-.75pt'> avec l'objet PDO</span></b><span style= 'font-size: 11.5pt;font-family:"Arial",sans-serif;color:#212529;letter-spacing:-.75pt'> qui se charge d'aller récupérer les résultats (</span><span style= 'font-size:10.0pt; font-family:Consolas;color:#E83E8C;letter-spacing:-.75pt'>query()</span><span style='font-size:11.5pt;font-family:"Arial",sans-serif;color:#212529; letter-spacing:-.75pt'> appelant implicitement la fonction </span><span style= 'font-size:10.0pt;font-family:Consolas;color:#E83E8C;letter-spacing:-.75pt'>execute()</span><span style='font-size:11.5pt;font-family:"Arial",sans-serif;color:#212529; letter-spacing:-.75pt'>) enfin on effectue une récupération grâce à fetch puis on utilise les données ainsi retournées.</span></p> <p class="MsoNormal" style= 'margin-top:6.0pt;margin-right:0cm;margin-bottom:6.0pt; margin-left:0cm;line-height:normal;background:#FDFDFD'> <span style= 'font-size: 11.5pt;font-family:Consolas;color:#1990B8;letter-spacing:-.75pt'> try</span></p> <p class="MsoNormal" style= 'margin-top:6.0pt;margin-right:0cm;margin-bottom:6.0pt; margin-left:0cm;line-height:normal;background:#FDFDFD'> <span style= 'font-size: 11.5pt;font-family:Consolas;color:#5F6364;letter-spacing:-.75pt'> {</span></p> <p class="MsoNormal" style= 'margin-top:6.0pt;margin-right:0cm;margin-bottom:6.0pt; margin-left:0cm;line-height:normal;background:#FDFDFD'> <span style= 'font-size: 11.5pt;font-family:Consolas;color:black;letter-spacing:-.75pt'> </span> <span style= 'font-size:11.5pt;font-family:Consolas;color:#A67F59;letter-spacing:-.75pt'> $Request</span><span style= 'font-size:11.5pt;font-family:Consolas;color:#A67F59; letter-spacing:-.75pt'>=</span> <span style= 'font-size:11.5pt; font-family:Consolas;color:#A67F59;letter-spacing:-.75pt'> $Pdo_Object-></span><span style= 'font-size:11.5pt;font-family:Consolas;color:#2F9C0A;letter-spacing:-.75pt'>query</span><span style='font-size:11.5pt;font-family:Consolas;color:#5F6364;letter-spacing:-.75pt'>(</span><span style='font-size:11.5pt;font-family:Consolas;color:#2F9C0A;letter-spacing:-.75pt'>'SELECT id, title,author,date,isbn FROM books'</span><span style= 'font-size:11.5pt; font-family:Consolas;color:#5F6364;letter-spacing:-.75pt'>);</span></p> <p class="MsoNormal" style= 'margin-top:6.0pt;margin-right:0cm;margin-bottom:6.0pt; margin-left:0cm;line-height:normal;background:#FDFDFD'> <span style= 'font-size: 11.5pt;font-family:Consolas;color:black;letter-spacing:-.75pt'> </span></p> <p class="MsoNormal" style= 'margin-top:6.0pt;margin-right:0cm;margin-bottom:6.0pt; margin-left:0cm;line-height:normal;background:#FDFDFD'> <span style= 'font-size: 11.5pt;font-family:Consolas;color:black;letter-spacing:-.75pt'> </span> <span style= 'font-size:11.5pt;font-family:Consolas;color:#1990B8;letter-spacing:-.75pt'> while</span><span style= 'font-size:11.5pt;font-family:Consolas;color:#5F6364;letter-spacing:-.75pt'>(</span><span style='font-size:11.5pt;font-family:Consolas;color:#A67F59;letter-spacing:-.75pt'>$Book</span><span style='font-size:11.5pt;font-family:Consolas;color:#A67F59; letter-spacing:-.75pt'>=</span> <span style= 'font-size:11.5pt; font-family:Consolas;color:#A67F59;letter-spacing:-.75pt'> $Request-></span><span style= 'font-size:11.5pt;font-family:Consolas;color:#2F9C0A;letter-spacing:-.75pt'>fetch</span><span style='font-size:11.5pt;font-family:Consolas;color:#5F6364;letter-spacing:-.75pt'>())</span></p> <p class="MsoNormal" style= 'margin-top:6.0pt;margin-right:0cm;margin-bottom:6.0pt; margin-left:0cm;line-height:normal;background:#FDFDFD'> <span style= 'font-size: 11.5pt;font-family:Consolas;color:black;letter-spacing:-.75pt'> </span> <span style= 'font-size:11.5pt;font-family:Consolas;color:#5F6364;letter-spacing:-.75pt'> {</span></p> <p class="MsoNormal" style= 'margin-top:6.0pt;margin-right:0cm;margin-bottom:6.0pt; margin-left:0cm;line-height:normal;background:#FDFDFD'> <span style= 'font-size: 11.5pt;font-family:Consolas;color:black;letter-spacing:-.75pt'> </span> <span style= 'font-size:11.5pt;font-family:Consolas;color:#7D8B99;letter-spacing:-.75pt'> //Faire quelque choses des données</span></p> <p class="MsoNormal" style= 'margin-top:6.0pt;margin-right:0cm;margin-bottom:6.0pt; margin-left:0cm;line-height:normal;background:#FDFDFD'> <span style= 'font-size: 11.5pt;font-family:Consolas;color:black;letter-spacing:-.75pt'> </span></p> <p class="MsoNormal" style= 'margin-top:6.0pt;margin-right:0cm;margin-bottom:6.0pt; margin-left:0cm;line-height:normal;background:#FDFDFD'> <span style= 'font-size: 11.5pt;font-family:Consolas;color:black;letter-spacing:-.75pt'> </span> <span style= 'font-size:11.5pt;font-family:Consolas;color:#5F6364;letter-spacing:-.75pt'> }</span></p> <p class="MsoNormal" style= 'margin-top:6.0pt;margin-right:0cm;margin-bottom:6.0pt; margin-left:0cm;line-height:normal;background:#FDFDFD'> <span style= 'font-size: 11.5pt;font-family:Consolas;color:#5F6364;letter-spacing:-.75pt'> }</span></p> <p class="MsoNormal" style= 'margin-top:6.0pt;margin-right:0cm;margin-bottom:6.0pt; margin-left:0cm;line-height:normal;background:#FDFDFD'> <span style= 'font-size: 11.5pt;font-family:Consolas;color:#1990B8;letter-spacing:-.75pt'> catch</span><span style= 'font-size:11.5pt;font-family:Consolas;color:#5F6364;letter-spacing:-.75pt'>(</span><span style='font-size:11.5pt;font-family:Consolas;color:black;letter-spacing:-.75pt'>PDOException</span> <span style= 'font-size:11.5pt;font-family:Consolas;color:#A67F59; letter-spacing:-.75pt'> $pdo_e</span><span style= 'font-size:11.5pt;font-family: Consolas;color:#5F6364;letter-spacing:-.75pt'>)</span></p> <p class="MsoNormal" style= 'margin-top:6.0pt;margin-right:0cm;margin-bottom:6.0pt; margin-left:0cm;line-height:normal;background:#FDFDFD'> <span style= 'font-size: 11.5pt;font-family:Consolas;color:#5F6364;letter-spacing:-.75pt'> {</span></p> <p class="MsoNormal" style= 'margin-top:6.0pt;margin-right:0cm;margin-bottom:6.0pt; margin-left:0cm;line-height:normal;background:#FDFDFD'> <span style= 'font-size: 11.5pt;font-family:Consolas;color:black;letter-spacing:-.75pt'> </span> <span style= 'font-size:11.5pt;font-family:Consolas;color:#7D8B99;letter-spacing:-.75pt'> //Faire quelque choses en cas d'erreur PDO</span></p> <p class="MsoNormal" style= 'margin-top:6.0pt;margin-right:0cm;margin-bottom:6.0pt; margin-left:0cm;line-height:normal;background:#FDFDFD'> <span style= 'font-size: 11.5pt;font-family:Consolas;color:#5F6364;letter-spacing:-.75pt'> }</span></p> <p class="MsoNormal" style= 'margin-top:6.0pt;margin-right:0cm;margin-bottom:6.0pt; margin-left:0cm;line-height:normal;background:#FDFDFD'> <span style= 'font-size: 11.5pt;font-family:Consolas;color:#1990B8;letter-spacing:-.75pt'> catch</span><span style= 'font-size:11.5pt;font-family:Consolas;color:#5F6364;letter-spacing:-.75pt'>(</span><span style='font-size:11.5pt;font-family:Consolas;color:black;letter-spacing:-.75pt'>Exception</span> <span style= 'font-size:11.5pt;font-family:Consolas;color:#A67F59; letter-spacing:-.75pt'> $e</span><span style= 'font-size:11.5pt;font-family:Consolas; color:#5F6364;letter-spacing:-.75pt'>)</span></p> <p class="MsoNormal" style= 'margin-top:6.0pt;margin-right:0cm;margin-bottom:6.0pt; margin-left:0cm;line-height:normal;background:#FDFDFD'> <span style= 'font-size: 11.5pt;font-family:Consolas;color:#5F6364;letter-spacing:-.75pt'> {</span></p> <p class="MsoNormal" style= 'margin-top:6.0pt;margin-right:0cm;margin-bottom:6.0pt; margin-left:0cm;line-height:normal;background:#FDFDFD'> <span style= 'font-size: 11.5pt;font-family:Consolas;color:black;letter-spacing:-.75pt'> </span> <span style= 'font-size:11.5pt;font-family:Consolas;color:#7D8B99;letter-spacing:-.75pt'> //Pour les autres erreurs faire autre chose</span></p> <p class="MsoNormal" style= 'margin-top:6.0pt;margin-right:0cm;margin-bottom:6.0pt; margin-left:0cm;line-height:normal;background:#FDFDFD'> <span style= 'font-size: 11.5pt;font-family:Consolas;color:#5F6364;letter-spacing:-.75pt'> }</span></p> <b><span style= 'font-size:18.0pt;line-height:107%;font-family:"Arial",sans-serif; color:#1A2856;letter-spacing:-.75pt'><br clear="all" style='page-break-before: always' /></span></b> <p class="MsoNormal"><b><span style= 'font-size:18.0pt;line-height:107%; font-family:"Arial",sans-serif;color:#1A2856;letter-spacing:-.75pt'> </span></b></p> <p class="MsoNormal" style= 'margin-top:22.5pt;text-align:justify;line-height: normal;background:white'> <b><span style= 'font-size:18.0pt;font-family:"Arial",sans-serif; color:#1A2856;letter-spacing:-.75pt'> Les requêtes "préparées" pour se protéger des </span></b><b><span style= 'font-size:18.0pt;font-family:"Arial",sans-serif; color:#007BFF;letter-spacing:-.75pt'><a href="https://analyse-innovation-solution.fr/publication/fr/hacking/injection-sql-sqli-dorks"><span style='color:#007BFF;text-decoration:none'>injections SQL</span></a></span></b><b><span style= 'font-size:18.0pt;font-family:"Arial",sans-serif;color:#1A2856; letter-spacing:-.75pt'> avec PHP et PDO</span></b></p> <p class="MsoNormal" style= 'margin-top:3.75pt;text-align:justify;line-height: normal;background:white'> <span style= 'font-size:11.5pt;font-family:"Arial",sans-serif; color:#212529;letter-spacing:-.75pt'> En </span><span style= 'font-size: 11.5pt;font-family:"Arial",sans-serif;color:#007BFF;letter-spacing:-.75pt'><a href="https://analyse-innovation-solution.fr/publications/sql"><span style='color:#007BFF;text-decoration:none'>PHP</span></a></span><span style='font-size:11.5pt;font-family:"Arial",sans-serif;color:#212529; letter-spacing:-.75pt'> , les requêtes préparées de l'objet <b>PDO </b>offrent une couche de sécurité supplémentaire à vos requêtes <b>MySQL</b> car elles effectuent les contrôles nécessaires à la bonne sécurisation des données envoyées en paramètres. </span></p> <p class="MsoNormal" style= 'margin-bottom:0cm;margin-bottom:.0001pt;text-align: justify;line-height:normal;background:#CCE5FF'> <span style= 'font-size:11.5pt; font-family:"Arial",sans-serif;color:#004085;letter-spacing:-.75pt'> D'après la documentation <b>PHP</b> : <i>"si votre application utilise exclusivement les requêtes préparées, vous pouvez être sûr qu'aucune <b>injection SQL</b> n'est possible"</i>.</span></p> <p class="MsoNormal" style= 'margin-top:3.75pt;text-align:justify;line-height: normal;background:white'> <span style= 'font-size:11.5pt;font-family:"Arial",sans-serif; color:#212529;letter-spacing:-.75pt'> Vu qu'aucune information n'est précisée et bien que la sécurité des requêtes préparées de l'objet <b>PDO</b> n'est plus à démontrer, on est sur une "boîte noire" il convient donc d'appliquer les contrôles de bases en amont. Dans notre script PHP on commence donc par sécuriser les paramètres provenant de l'utilisateur. Puis on contrôle que le format de la donnée une fois "nettoyée" correspond bien au format attendu. Si le format est discordant, on lève une erreur.</span></p> <p class="MsoNormal" style= 'margin-top:3.75pt;text-align:justify;line-height: normal;background:white'> <span style= 'font-size:11.5pt;font-family:"Arial",sans-serif; color:#212529;letter-spacing:-.75pt'> Maintenant pour les requêtes préparées le processus est légèrement différent.</span></p> <ol start="1" type="1"> <li class="MsoNormal" style= 'color:#212529;text-align:justify;line-height:normal; background:white'> <span style= 'font-size:11.5pt;font-family:"Arial",sans-serif; letter-spacing:-.75pt'> On commence par créer un tableau associatif qui contient des couples clés=>valeur.</span></li> <li class="MsoNormal" style= 'color:#212529;text-align:justify;line-height:normal; background:white'> <span style= 'font-size:11.5pt;font-family:"Arial",sans-serif; letter-spacing:-.75pt'> Puis on écrit notre requête <b>MySQL</b>. En assignant les "clés" aux emplacements que nous souhaitons, en prenant le soin des pré-fixers de deux points (ex : :target_isbn).</span></li> <li class="MsoNormal" style= 'color:#212529;text-align:justify;line-height:normal; background:white'> <span style= 'font-size:11.5pt;font-family:"Arial",sans-serif; letter-spacing:-.75pt'> Encore une fois on soumet la requête à l'objet <b>PDO</b> mais par la fonction <b>PHP</b> prepare().</span></li> <li class="MsoNormal" style= 'color:#212529;text-align:justify;line-height:normal; background:white'> <span style= 'font-size:11.5pt;font-family:"Arial",sans-serif; letter-spacing:-.75pt'> Puis via l'appel de la fonction de l'objet <b>PDO PHP</b> execute() on déclenche la sélection (cela fonctionne aussi avec des requêtes comme : insert, update, delete, …)</span></li> </ol> <p class="MsoNormal" style= 'margin-bottom:0cm;margin-bottom:.0001pt;line-height: normal;background:#FDFDFD'> <span style= 'font-size:11.5pt;font-family:Consolas; color:#1990B8;letter-spacing:-.75pt'> try</span></p> <p class="MsoNormal" style= 'margin-bottom:0cm;margin-bottom:.0001pt;line-height: normal;background:#FDFDFD'> <span style= 'font-size:11.5pt;font-family:Consolas; color:#5F6364;letter-spacing:-.75pt'> {</span></p> <p class="MsoNormal" style= 'margin-bottom:0cm;margin-bottom:.0001pt;line-height: normal;background:#FDFDFD'> <span style= 'font-size:11.5pt;font-family:Consolas; color:black;letter-spacing:-.75pt'> </span> <span style= 'font-size:11.5pt; font-family:Consolas;color:#A67F59;letter-spacing:-.75pt'> $isbn</span><span style= 'font-size:11.5pt;font-family:Consolas;color:#A67F59; letter-spacing:-.75pt'>=</span> <span style= 'font-size:11.5pt; font-family:Consolas;color:#2F9C0A;letter-spacing:-.75pt'> Clear_Front_Variable</span><span style= 'font-size:11.5pt;font-family:Consolas;color:#5F6364;letter-spacing:-.75pt'>(</span><span style='font-size:11.5pt;font-family:Consolas;color:black;letter-spacing:-.75pt'>$_GET</span><span style='font-size:11.5pt;font-family:Consolas;color:#5F6364;letter-spacing:-.75pt'>[</span><span style='font-size:11.5pt;font-family:Consolas;color:#2F9C0A;letter-spacing:-.75pt'>'isbn'</span><span style='font-size:11.5pt;font-family:Consolas;color:#5F6364;letter-spacing:-.75pt'>]);</span></p> <p class="MsoNormal" style= 'margin-bottom:0cm;margin-bottom:.0001pt;line-height: normal;background:#FDFDFD'> <span style= 'font-size:11.5pt;font-family:Consolas; color:black;letter-spacing:-.75pt'> </span> <span style= 'font-size:11.5pt; font-family:Consolas;color:#A67F59;letter-spacing:-.75pt'> $allow</span><span style= 'font-size:11.5pt;font-family:Consolas;color:#A67F59; letter-spacing:-.75pt'>=</span> <span style= 'font-size:11.5pt; font-family:Consolas;color:#2F9C0A;letter-spacing:-.75pt'> Valid_Isbn_Format</span><span style= 'font-size:11.5pt;font-family:Consolas;color:#5F6364;letter-spacing:-.75pt'>(</span><span style='font-size:11.5pt;font-family:Consolas;color:#A67F59;letter-spacing:-.75pt'>$isbn</span><span style='font-size:11.5pt;font-family:Consolas;color:#5F6364;letter-spacing:-.75pt'>);</span></p> <p class="MsoNormal" style= 'margin-bottom:0cm;margin-bottom:.0001pt;line-height: normal;background:#FDFDFD'> <span style= 'font-size:11.5pt;font-family:Consolas; color:black;letter-spacing:-.75pt'> </span></p> <p class="MsoNormal" style= 'margin-bottom:0cm;margin-bottom:.0001pt;line-height: normal;background:#FDFDFD'> <span style= 'font-size:11.5pt;font-family:Consolas; color:black;letter-spacing:-.75pt'> </span> <span style= 'font-size:11.5pt; font-family:Consolas;color:#1990B8;letter-spacing:-.75pt'> if</span><span style= 'font-size:11.5pt;font-family:Consolas;color:#5F6364;letter-spacing:-.75pt'>(</span><span style='font-size:11.5pt;font-family:Consolas;color:#A67F59;letter-spacing:-.75pt'>!$allow</span><span style='font-size:11.5pt;font-family:Consolas;color:#5F6364;letter-spacing:-.75pt'>)</span><span style='font-size:11.5pt;font-family:Consolas;color:#1990B8; letter-spacing:-.75pt'>throw</span> <span style= 'font-size: 11.5pt;font-family:Consolas;color:#1990B8;letter-spacing:-.75pt'> new</span><span style= 'font-size:11.5pt;font-family:Consolas;color:#1990B8; letter-spacing:-.75pt'>Exception</span><span style='font-size:11.5pt; font-family:Consolas;color:#5F6364;letter-spacing:-.75pt'>(</span><span style='font-size:11.5pt;font-family:Consolas;color:#2F9C0A;letter-spacing:-.75pt'>"Le format de l'isbn ne correspond pas au format attendu"</span><span style= 'font-size:11.5pt;font-family:Consolas;color:#5F6364;letter-spacing:-.75pt'>);</span></p> <p class="MsoNormal" style= 'margin-bottom:0cm;margin-bottom:.0001pt;line-height: normal;background:#FDFDFD'> <span style= 'font-size:11.5pt;font-family:Consolas; color:black;letter-spacing:-.75pt'> </span></p> <p class="MsoNormal" style= 'margin-bottom:0cm;margin-bottom:.0001pt;line-height: normal;background:#FDFDFD'> <span style= 'font-size:11.5pt;font-family:Consolas; color:black;letter-spacing:-.75pt'> </span> <span style= 'font-size:11.5pt; font-family:Consolas;color:#A67F59;letter-spacing:-.75pt'> $Arr_Key_Value</span><span style= 'font-size:11.5pt;font-family:Consolas;color:#A67F59; letter-spacing:-.75pt'>=</span> <span style= 'font-size:11.5pt; font-family:Consolas;color:#1990B8;letter-spacing:-.75pt'> array</span><span style= 'font-size:11.5pt;font-family:Consolas;color:#5F6364;letter-spacing:-.75pt'>(</span><span style='font-size:11.5pt;font-family:Consolas;color:#2F9C0A;letter-spacing:-.75pt'>'target_isbn'</span><span style='font-size:11.5pt;font-family:Consolas;color:#A67F59; letter-spacing:-.75pt'>=></span> <span style= 'font-size: 11.5pt;font-family:Consolas;color:#A67F59;letter-spacing:-.75pt'> $isbn</span><span style= 'font-size:11.5pt;font-family:Consolas;color:#5F6364;letter-spacing:-.75pt'>);</span></p> <p class="MsoNormal" style= 'margin-bottom:0cm;margin-bottom:.0001pt;line-height: normal;background:#FDFDFD'> <span style= 'font-size:11.5pt;font-family:Consolas; color:black;letter-spacing:-.75pt'> </span> <span style= 'font-size:11.5pt; font-family:Consolas;color:#A67F59;letter-spacing:-.75pt'> $Sql_Query</span><span style= 'font-size:11.5pt;font-family:Consolas;color:#A67F59; letter-spacing:-.75pt'>=</span> <span style= 'font-size:11.5pt; font-family:Consolas;color:#2F9C0A;letter-spacing:-.75pt'> "SELECT id,title,author,date,isbn FROM books WHERE isbn=:target_isbn"</span><span style= 'font-size:11.5pt;font-family:Consolas;color:#5F6364;letter-spacing:-.75pt'>;</span></p> <p class="MsoNormal" style= 'margin-bottom:0cm;margin-bottom:.0001pt;line-height: normal;background:#FDFDFD'> <span style= 'font-size:11.5pt;font-family:Consolas; color:black;letter-spacing:-.75pt'> </span></p> <p class="MsoNormal" style= 'margin-bottom:0cm;margin-bottom:.0001pt;line-height: normal;background:#FDFDFD'> <span style= 'font-size:11.5pt;font-family:Consolas; color:black;letter-spacing:-.75pt'> </span> <span style= 'font-size:11.5pt; font-family:Consolas;color:#A67F59;letter-spacing:-.75pt'> $Request=</span><span style= 'font-size:11.5pt;font-family:Consolas;color:#A67F59; letter-spacing:-.75pt'>$Pdo_Object-></span><span style='font-size:11.5pt; font-family:Consolas;color:#2F9C0A;letter-spacing:-.75pt'>prepare</span><span style='font-size:11.5pt;font-family:Consolas;color:#5F6364;letter-spacing:-.75pt'>(</span><span style='font-size:11.5pt;font-family:Consolas;color:#A67F59;letter-spacing:-.75pt'>$Sql_Query</span><span style='font-size:11.5pt;font-family:Consolas;color:#5F6364;letter-spacing:-.75pt'>);</span></p> <p class="MsoNormal" style= 'margin-bottom:0cm;margin-bottom:.0001pt;line-height: normal;background:#FDFDFD'> <span style= 'font-size:11.5pt;font-family:Consolas; color:black;letter-spacing:-.75pt'> </span></p> <p class="MsoNormal" style= 'margin-bottom:0cm;margin-bottom:.0001pt;line-height: normal;background:#FDFDFD'> <span style= 'font-size:11.5pt;font-family:Consolas; color:black;letter-spacing:-.75pt'> </span> <span style= 'font-size:11.5pt; font-family:Consolas;color:#A67F59;letter-spacing:-.75pt'> $Request-></span><span style= 'font-size:11.5pt;font-family:Consolas;color:#2F9C0A;letter-spacing:-.75pt'>execute</span><span style='font-size:11.5pt;font-family:Consolas;color:#5F6364;letter-spacing:-.75pt'>(</span><span style='font-size:11.5pt;font-family:Consolas;color:#A67F59;letter-spacing:-.75pt'>$Arr_Key_Value</span><span style='font-size:11.5pt;font-family:Consolas;color:#5F6364;letter-spacing:-.75pt'>);</span></p> <p class="MsoNormal" style= 'margin-bottom:0cm;margin-bottom:.0001pt;line-height: normal;background:#FDFDFD'> <span style= 'font-size:11.5pt;font-family:Consolas; color:black;letter-spacing:-.75pt'> </span></p> <p class="MsoNormal" style= 'margin-bottom:0cm;margin-bottom:.0001pt;line-height: normal;background:#FDFDFD'> <span style= 'font-size:11.5pt;font-family:Consolas; color:black;letter-spacing:-.75pt'> </span> <span style= 'font-size:11.5pt; font-family:Consolas;color:#A67F59;letter-spacing:-.75pt'> $Datatable</span><span style= 'font-size:11.5pt;font-family:Consolas;color:#A67F59; letter-spacing:-.75pt'>=</span> <span style= 'font-size:11.5pt; font-family:Consolas;color:#A67F59;letter-spacing:-.75pt'> $Request-></span><span style= 'font-size:11.5pt;font-family:Consolas;color:#2F9C0A;letter-spacing:-.75pt'>fetchAll</span><span style='font-size:11.5pt;font-family:Consolas;color:#5F6364;letter-spacing:-.75pt'>();</span></p> <p class="MsoNormal" style= 'margin-bottom:0cm;margin-bottom:.0001pt;line-height: normal;background:#FDFDFD'> <span style= 'font-size:11.5pt;font-family:Consolas; color:#5F6364;letter-spacing:-.75pt'> }</span></p> <p class="MsoNormal" style= 'margin-bottom:0cm;margin-bottom:.0001pt;line-height: normal;background:#FDFDFD'> <span style= 'font-size:11.5pt;font-family:Consolas; color:#1990B8;letter-spacing:-.75pt'> catch</span><span style= 'font-size:11.5pt; font-family:Consolas;color:#5F6364;letter-spacing:-.75pt'>(</span><span style='font-size:11.5pt;font-family:Consolas;color:black;letter-spacing:-.75pt'>PDOException</span> <span style= 'font-size:11.5pt;font-family:Consolas;color:#A67F59; letter-spacing:-.75pt'> $pdo_e</span><span style= 'font-size:11.5pt;font-family: Consolas;color:#5F6364;letter-spacing:-.75pt'>){</span></p> <p class="MsoNormal" style= 'margin-bottom:0cm;margin-bottom:.0001pt;line-height: normal;background:#FDFDFD'> <span style= 'font-size:11.5pt;font-family:Consolas; color:black;letter-spacing:-.75pt'> </span> <span style= 'font-size:11.5pt; font-family:Consolas;color:#7D8B99;letter-spacing:-.75pt'> //Faire quelque choses en cas d'</span><span style= 'font-size:11.5pt;font-family:Consolas; color:black;letter-spacing:-.75pt'>erreur</span> <span style= 'font-size:11.5pt; font-family:Consolas;color:#C92C2C;letter-spacing:-.75pt'> PDO</span></p> <p class="MsoNormal" style= 'margin-bottom:0cm;margin-bottom:.0001pt;line-height: normal;background:#FDFDFD'> <span style= 'font-size:11.5pt;font-family:Consolas; color:#5F6364;letter-spacing:-.75pt'> }</span></p> <p class="MsoNormal" style= 'margin-bottom:0cm;margin-bottom:.0001pt;line-height: normal;background:#FDFDFD'> <span style= 'font-size:11.5pt;font-family:Consolas; color:#1990B8;letter-spacing:-.75pt'> catch</span><span style= 'font-size:11.5pt; font-family:Consolas;color:#5F6364;letter-spacing:-.75pt'>(</span><span style='font-size:11.5pt;font-family:Consolas;color:black;letter-spacing:-.75pt'>Exception</span> <span style= 'font-size:11.5pt;font-family:Consolas;color:#A67F59; letter-spacing:-.75pt'> $e</span><span style= 'font-size:11.5pt;font-family:Consolas; color:#5F6364;letter-spacing:-.75pt'>){</span></p> <p class="MsoNormal" style= 'margin-bottom:0cm;margin-bottom:.0001pt;line-height: normal;background:#FDFDFD'> <span style= 'font-size:11.5pt;font-family:Consolas; color:black;letter-spacing:-.75pt'> </span> <span style= 'font-size:11.5pt; font-family:Consolas;color:#7D8B99;letter-spacing:-.75pt'> //Pour les autres erreurs faire autre chose</span></p> <p class="MsoNormal" style= 'margin-bottom:0cm;margin-bottom:.0001pt;line-height: normal;background:#FDFDFD'> <span style= 'font-size:11.5pt;font-family:Consolas; color:#5F6364;letter-spacing:-.75pt'> }</span></p> <p class="MsoNormal" style= 'margin-top:6.0pt;margin-right:0cm;margin-bottom:6.0pt; margin-left:0cm;line-height:normal;background:#FDFDFD'> <span style= 'font-size: 11.5pt;font-family:Consolas;color:black;letter-spacing:-.75pt'> </span></p> <p class="MsoNormal" style= 'margin-bottom:0cm;margin-bottom:.0001pt;text-align: justify;line-height:normal;background:#FFF3CD'> <span style= 'font-size:11.5pt; font-family:"Arial",sans-serif;color:#856404;letter-spacing:-.75pt'> Les fonctions </span><span style= 'font-size:10.0pt;font-family:Consolas; color:#E83E8C;letter-spacing:-.75pt'>Clear_Front_Variable</span><span style='font-size:11.5pt;font-family:"Arial",sans-serif;color:#856404; letter-spacing:-.75pt'> et </span><span style='font-size:10.0pt; font-family:Consolas;color:#E83E8C;letter-spacing:-.75pt'>Valid_Isbn_Format</span><span style='font-size:11.5pt;font-family:"Arial",sans-serif;color:#856404; letter-spacing:-.75pt'> ne servent qu'à titre d'exemple. Ce sont des fonctions PHP qui contiennent respectivement des utilisations des fonctions natives </span><span style= 'font-size:10.0pt;font-family:Consolas; color:#E83E8C;letter-spacing:-.75pt'>preg_replace</span><span style='font-size: 11.5pt;font-family:"Arial",sans-serif;color:#856404;letter-spacing:-.75pt'> (pour supprimer les caractères attendus) et à </span><span style= 'font-size: 10.0pt;font-family:Consolas;color:#E83E8C;letter-spacing:-.75pt'>preg_match</span><span style='font-size:11.5pt;font-family:"Arial",sans-serif;color:#856404; letter-spacing:-.75pt'> (pour contrôler que le format final après remplacement, correspond strictement au format spécifique attendu). On peut également utiliser les expressions régulières (vues plus tard).</span></p> <p class="MsoNormal" style= 'margin-top:22.5pt;text-align:justify;line-height: normal;background:white'> <b><span style= 'font-size:18.0pt;font-family:"Arial",sans-serif; color:#1A2856;letter-spacing:-.75pt'> Conclusion</span></b></p> <p class="MsoNormal" style= 'margin-bottom:0cm;margin-bottom:.0001pt;text-align: justify;line-height:20.8pt;background:white'> <span style= 'font-size:11.5pt; font-family:"Arial",sans-serif;color:#212529;letter-spacing:-.75pt'> En </span><b><span style= 'font-size:11.5pt;font-family:"Arial",sans-serif;color:#007BFF; letter-spacing:-.75pt'><a href="https://analyse-innovation-solution.fr/publications/sql"><span style='color:#007BFF;text-decoration:none'>PHP</span></a></span></b><span style='font-size:11.5pt;font-family:"Arial",sans-serif;color:#212529; letter-spacing:-.75pt'>, une bonne intégration dans l'usage de l'<b>objet PDO</b> est indispensable pour se prémunir des risques d'</span><span style= 'font-size: 11.5pt;font-family:"Arial",sans-serif;color:#007BFF;letter-spacing:-.75pt'><a href="https://analyse-innovation-solution.fr/publication/fr/hacking/injection-sql-sqli-dorks" title="injection SQL"><span style= 'color:#007BFF;text-decoration:none'>injection SQL</span></a></span><span style= 'font-size:11.5pt;font-family:"Arial",sans-serif; color:#212529;letter-spacing:-.75pt'>.</span></p> <p class="MsoNormal" style= 'margin-bottom:0cm;margin-bottom:.0001pt;text-align: justify;line-height:20.8pt;background:white'> <span style= 'font-size:11.5pt; font-family:"Arial",sans-serif;color:#212529;letter-spacing:-.75pt'> Le </span><b><span style= 'font-size:11.5pt;font-family:"Arial",sans-serif;color:#007BFF; letter-spacing:-.75pt'><a href="https://analyse-innovation-solution.fr/publications/sql"><span style='color:#007BFF;text-decoration:none'>PHP</span></a></span></b><b><span style='font-size:11.5pt;font-family:"Arial",sans-serif;color:#212529; letter-spacing:-.75pt'> </span></b><span style='font-size:11.5pt; font-family:"Arial",sans-serif;color:#212529;letter-spacing:-.75pt'>offre de nombreux outils permettant de contrôler et de garantir le format des données (principalement : </span><span style= 'font-size:10.0pt;font-family:Consolas; color:#E83E8C;letter-spacing:-.75pt'>preg_match</span><span style='font-size: 11.5pt;font-family:"Arial",sans-serif;color:#212529;letter-spacing:-.75pt'> et </span><span style='font-size:10.0pt;font-family:Consolas;color:#E83E8C;letter-spacing:-.75pt'>preg_replace</span><span style='font-size:11.5pt;font-family:"Arial",sans-serif;color:#212529; letter-spacing:-.75pt'>).</span></p> <p class="MsoNormal" style= 'margin-bottom:0cm;margin-bottom:.0001pt;text-align: justify;line-height:20.8pt;background:white'> <span style= 'font-size:11.5pt; font-family:"Arial",sans-serif;color:#212529;letter-spacing:-.75pt'> Par ailleurs grâce à une utilisation adaptée de l'<b>objet PDO</b> pour préparer les requêtes <b>MySQL </b>il devient impossible pour un attaquant de parvenir à ses fins avec une </span><span style= 'font-size: 11.5pt;font-family:"Arial",sans-serif;color:#007BFF;letter-spacing:-.75pt'><a href="https://analyse-innovation-solution.fr/publication/fr/hacking/injection-sql-sqli-dorks" title="injection SQL"><span style= 'color:#007BFF;text-decoration:none'>injection SQL</span></a></span><span style= 'font-size:11.5pt;font-family:"Arial",sans-serif; color:#212529;letter-spacing:-.75pt'>.</span><span style='font-size:11.5pt; font-family:"Arial",sans-serif;color:black;letter-spacing:-.75pt'><br /> <br /></span></p> <p class="MsoNormal"> </p> </div>
Table des matières
Sujets
Recherche
Help content
Help content
Générée avec
chmProcessor
Générée avec
chmProcessor