0
我意識到我所問的軟件已經過時了,至少可以這麼說,但這是由於這個實驗的限制。這不是一項家庭作業,只是一個在多個操作系統和配置上測試sql注入的實驗。PHP相關 - 讓SQL Server 2005與Windows Server 2003合作
我試圖找到一種方法來設置Windows Server 2003機器上的MS SQL服務器,並且它很困難。我終於得到了所有它成立的,我可以運行phpinfo()函數在本地主機的成功上,而是通過HTM文件提交的用戶名和密碼後,運行我的查詢時,我得到這個錯誤:
Array ([0] => Array ([0] => IMSSP [SQLSTATE] => IMSSP [1] => -49 [code] => -49 [2] => This extension requires the Microsoft SQL Server 2012 Native Client. Access the following URL to download the Microsoft SQL Server 2012 Native Client ODBC driver for x86: http://go.microsoft.com/fwlink/?LinkId=163712 [message] => This extension requires the Microsoft SQL Server 2012 Native Client. Access the following URL to download the Microsoft SQL Server 2012 Native Client ODBC driver for x86: http://go.microsoft.com/fwlink/?LinkId=163712) [1] => Array ([0] => IM002 [SQLSTATE] => IM002 [1] => 0 [code] => 0 [2] => [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified [message] => [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified))
我安裝了Microsoft SQL Server 2008 Native Client,因爲2012年與2003不兼容。我試過了,只是在安裝過程中出現錯誤。如果任何人有解決方案或者我可能忽視的東西,那將是完美的。
對於一些額外的見解,這裏是我的PHP文件運行。注意評論,它以前是一個MySQL的PHP腳本:
<?php
echo "<center> <img src=\"bookstore.jpg\"><br /> ";
echo "<font color=green size=6> Database Query Results </font>";
$Id = $_POST["Id"];
$pass = $_POST["pass"];
#$name = mysql_real_escape_string($_POST["fname"]);
#$age = mysql_real_escape_string($_POST["age"]);
$db_host = '.\SQLExpress';
$db_user = 'SCADATEST';
$db_pwd = '';
$database = 'bookorders';
$table = 'Customers';
// Connect to the database server
//$con = mssql_connect('localhost', 'SCADATEST', '');
//$connectionInfo = array("UID" => $db_user, "PWD" => $db_pwd, "Database"=>$database);
//$connection = mssql_connect('localhost', 'SCADATEST', '');
//$con = sqlsrv_connect($db_host, $connectionInfo);
//if (!$con)
// {
//# die('Could not connect: ' . $age . ' '.mysql_error());
// die('Could not connect: ' . ' ' . print_r(sqlsrv_errors(), true));
// }
$connectionInfo = array("Database"=>"$database");
$conn = sqlsrv_connect($db_host, $connectionInfo);
if($conn) {
echo "Connection established.<br />";
}else{
echo "Connection could not be established.<br />";
die(print_r(sqlsrv_errors(), true));
}
// Open to the database
//mysql_select_db("bookorders") or die(mysql_error());
//Create query string
$QueryStr = 'SELECT * FROM Customers where Username=\'' . $Id . '\' and Pwd=\'' . $pass . '\';';
#$QueryStr = 'SELECT * FROM Customers; SELECT * FROM Orders; -- and Pwd=';
//$QueryStr= "SELECT * FROM Customers where Username='' OR 1=1; -- ' and Pwd='fsd';"
//echo $QueryStr ;
//echo "<br />";
$queries = preg_split("/;+(?=([^'|^\\\']*['|\\\'][^'\^\\\']*['|\\\'])*[^'\^\\\']*[^'|^\\\']$)/",$QueryStr);
#$queries = split('[/;]',$QueryStr);
// Select all records from the "Individual" table
foreach ($queries as $query){
if (strlen(trim($query)) > 0){
$result = sqlsrv_query($conn,$query) or die(mysql_error());
echo "<HR><P><table border=2><tr>";
//first print the column names as headers
for ($i=0; $i < sqlsrv_num_fields($result); $i++){
$field_info = mysql_fetch_field($result, $i);
echo "<th>{$field_info->name}</th>";
}
echo "</tr>";
// Loop thru each record (using the PHP $row variable),
while($row = sqlsrv_fetch_array($result)){
//now print the data
$c=0;
echo "<tr>";
while ($c < sqlsrv_num_fields($result)){
echo "<td>{$row[$c]}</td>";
$c++;
} //end of inner while
echo "</tr>";
}//end of outer while
echo "</table> <P> <HR>";
} //end of if
echo "<br /><br /> ";
} //end of for each
echo "<a href=\"index.html\"> Return to Home </a> ";
echo "<hr><font color=red size=1> Copyright 2013. Guillermo Francia, III-Jacksonville State <hr></center>";
sqlsrv_close($con);
?>
任何人可能有任何幫助,以獲得此功能將是巨大的。