来源:自学PHP网 时间:2015-04-16 23:15 作者: 阅读:次
[导读] http: 127 0 0 1 easethink message php?act=if($_REQUEST[ 39;act 39;] == 39;add 39;){if(!$user_info){showErr($GLOBALS[ 39;lang 39;][ 39;PLEASE_LOGIN_FIRST 39;]);}if($_REQUEST[ 39;conten...
|
http://127.0.0.1/easethink/message.php?act=
if($_REQUEST['act'] == 'add')
{
if(!$user_info)
{
showErr($GLOBALS['lang']['PLEASE_LOGIN_FIRST']);
}
if($_REQUEST['content']=='')
{
showErr($GLOBALS['lang']['MESSAGE_CONTENT_EMPTY']);
}
if(!check_ipop_limit(get_client_ip(),"message",intval(app_conf("SUBMIT_DELAY")),0))
{
showErr($GLOBALS['lang']['MESSAGE_SUBMIT_FAST']);
}
$rel_table = $_REQUEST['rel_table'];
$message_type = $GLOBALS['db']->getRowCached("select * from ".DB_PREFIX."message_type where type_name='".$rel_table."'");
if(!$message_type)
{
showErr($GLOBALS['lang']['INVALID_MESSAGE_TYPE']);
}
$message_group = $_REQUEST['message_group'];
//添加留言
$message['title'] = htmlspecialchars(addslashes($_REQUEST['content']));
$message['content'] = htmlspecialchars(addslashes($_REQUEST['content']));
if($message_group)
{
$message['title']="[".$message_group."]:".$message['title'];
$message['content']="[".$message_group."]:".$message['content'];
}
$message['create_time'] = get_gmtime();
$message['rel_table'] = $rel_table;
$message['rel_id'] = $_REQUEST['rel_id'];
$message['user_id'] = intval($GLOBALS['user_info']['id']);
$message['city_id'] = $deal_city['id'];
if(app_conf("USER_MESSAGE_AUTO_EFFECT")==0)
{
$message_effect = 0;
}
else
{
$message_effect = $message_type['is_effect'];
}
$message['is_effect'] = $message_effect;
$GLOBALS['db']->autoExecute(DB_PREFIX."message",$message);
showSuccess($GLOBALS['lang']['MESSAGE_POST_SUCCESS']);
}
else
{
$rel_table = $_REQUEST['act'];
$message_type = $GLOBALS['db']->getRowCached("select * from ".DB_PREFIX."message_type where type_name='".$rel_table."'");
参数act 未做过滤导致直接带入数据库查询。导致注入。
 http://127.0.0.1/easethink/link.php?act=go&city=fujian&url=
if($_REQUEST['act']=='go')
{
$url = ($_REQUEST['url']);
$link_item = $GLOBALS['db']->getRowCached("select * from ".DB_PREFIX."link where (url = '".$url."' or url = 'http://".$url."') and is_effect = 1");
if($link_item)
{
if(check_ipop_limit(get_client_ip(),"Link",10,$link_item['id']))
$GLOBALS['db']->query("update ".DB_PREFIX."link set count = count + 1 where id = ".$link_item['id']);
$url = "http://".$url;
}
else
{
$url = APP_ROOT."/";
}
app_redirect($url);
}
url参数未做过滤直接带入数据库 导致sql注入
 修复方案:
过滤
|
自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习
京ICP备14009008号-1@版权所有www.zixuephp.com
网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com
