Time-based Blind SQL Injection 해킹 대비

This commit is contained in:
2026-03-17 17:11:52 +09:00
parent a57fc28825
commit 51b9a99f95
3 changed files with 29 additions and 9 deletions
+28
View File
@@ -0,0 +1,28 @@
# SQL Injection 방어 - Apache 레벨 WAF
# Time-based Blind SQL Injection 공격 패턴 차단
<IfModule mod_rewrite.c>
RewriteEngine On
# SLEEP(), BENCHMARK() 등 시간 지연 함수 차단 (Time-based Blind SQLi 핵심 패턴)
RewriteCond %{QUERY_STRING} (sleep|benchmark|waitfor\s+delay|pg_sleep) [NC]
RewriteRule .* - [F,L]
RewriteCond %{REQUEST_URI} (sleep|benchmark|waitfor\s+delay|pg_sleep) [NC]
RewriteRule .* - [F,L]
# POST body의 SQLi 패턴은 mod_security로 처리 (아래 참조)
</IfModule>
# PHP 에러 메시지 노출 방지
<IfModule mod_php7.c>
php_flag display_errors Off
php_flag log_errors On
</IfModule>
<IfModule mod_php.c>
php_flag display_errors Off
php_flag log_errors On
</IfModule>
# 서버 정보 숨기기
ServerSignature Off
@@ -16,21 +16,16 @@ $prev_best_record_id = -1;
$prev_best_record = 0; $prev_best_record = 0;
$prev_best_record_id = get_best_record($maestro_id, $app_id, $player_id); $prev_best_record_id = get_best_record($maestro_id, $app_id, $player_id);
echo "id : ".$prev_best_record_id." ".$prev_best_record;
if($prev_best_record_id === null || $prev_best_record_id < 0) { if($prev_best_record_id === null || $prev_best_record_id < 0) {
echo "insert";
insert_best_record($maestro_id, $app_id, $player_id, $record); insert_best_record($maestro_id, $app_id, $player_id, $record);
} else { } else {
echo $record." ".$prev_best_record;
if(is_highest_record_prefer_app($app_id)) { if(is_highest_record_prefer_app($app_id)) {
if($record > $prev_best_record) { if($record > $prev_best_record) {
echo "update";
update_best_record($prev_best_record_id, $record); update_best_record($prev_best_record_id, $record);
} }
} else { } else {
if($record < $prev_best_record) { if($record < $prev_best_record) {
echo "update";
update_best_record($prev_best_record_id, $record); update_best_record($prev_best_record_id, $record);
} }
} }
@@ -38,9 +33,6 @@ if($prev_best_record_id === null || $prev_best_record_id < 0) {
// highest record is the highest record // highest record is the highest record
$app_highest_record = get_app_highest_record($maestro_id, $app_id, $player_id); $app_highest_record = get_app_highest_record($maestro_id, $app_id, $player_id);
echo "\napp_highest_record : $app_highest_record";
// echo "\nrecord : $record";
if($app_highest_record == null) { if($app_highest_record == null) {
insert_app_highest_record($maestro_id, $app_id, $player_id, $record); insert_app_highest_record($maestro_id, $app_id, $player_id, $record);
// echo "\ninsert_app_highest_record : $record"; // echo "\ninsert_app_highest_record : $record";
+1 -1
View File
@@ -15,7 +15,7 @@ if($hasServiceDBSetting == true) {
// connect db // connect db
$db_conn = new mysqli($db_host, $db_user, $db_passwd, $db_name); $db_conn = new mysqli($db_host, $db_user, $db_passwd, $db_name);
if ($db_conn->connect_error) { if ($db_conn->connect_error) {
set_error_message("Failed to connect DB: ".$db_conn->connect_error); set_error_message("DB connection failed.");
send_result_fail(); send_result_fail();
exit; exit;
} else { } else {