来源:自学PHP网 时间:2015-04-15 15:00 作者: 阅读:次
[导读] http: 127 0 0 1 easethink message php?act=if($_REQUEST[ 39;act 39;] == 39;add 39;){if(!$user_info){showErr($GLOBALS[ 39;lang 39;][ 39;PLEASE_LOGIN_FIRST 39;]);}if($_REQUEST[ 39;conten...
http://127.0.0.1/easethink/message.php?act=
if($_REQUEST['act'] == 'add') { if(!$user_info) { showErr($GLOBALS['lang']['PLEASE_LOGIN_FIRST']); } if($_REQUEST['content']=='') { showErr($GLOBALS['lang']['MESSAGE_CONTENT_EMPTY']); } if(!check_ipop_limit(get_client_ip(),"message",intval(app_conf("SUBMIT_DELAY")),0)) { showErr($GLOBALS['lang']['MESSAGE_SUBMIT_FAST']); } $rel_table = $_REQUEST['rel_table']; $message_type = $GLOBALS['db']->getRowCached("select * from ".DB_PREFIX."message_type where type_name='".$rel_table."'"); if(!$message_type) { showErr($GLOBALS['lang']['INVALID_MESSAGE_TYPE']); } $message_group = $_REQUEST['message_group']; //添加留言 $message['title'] = htmlspecialchars(addslashes($_REQUEST['content'])); $message['content'] = htmlspecialchars(addslashes($_REQUEST['content'])); if($message_group) { $message['title']="[".$message_group."]:".$message['title']; $message['content']="[".$message_group."]:".$message['content']; } $message['create_time'] = get_gmtime(); $message['rel_table'] = $rel_table; $message['rel_id'] = $_REQUEST['rel_id']; $message['user_id'] = intval($GLOBALS['user_info']['id']); $message['city_id'] = $deal_city['id']; if(app_conf("USER_MESSAGE_AUTO_EFFECT")==0) { $message_effect = 0; } else { $message_effect = $message_type['is_effect']; } $message['is_effect'] = $message_effect; $GLOBALS['db']->autoExecute(DB_PREFIX."message",$message); showSuccess($GLOBALS['lang']['MESSAGE_POST_SUCCESS']); } else { $rel_table = $_REQUEST['act']; $message_type = $GLOBALS['db']->getRowCached("select * from ".DB_PREFIX."message_type where type_name='".$rel_table."'");
参数act 未做过滤导致直接带入数据库查询。导致注入。
http://127.0.0.1/easethink/link.php?act=go&city=fujian&url=
if($_REQUEST['act']=='go') { $url = ($_REQUEST['url']); $link_item = $GLOBALS['db']->getRowCached("select * from ".DB_PREFIX."link where (url = '".$url."' or url = 'http://".$url."') and is_effect = 1"); if($link_item) { if(check_ipop_limit(get_client_ip(),"Link",10,$link_item['id'])) $GLOBALS['db']->query("update ".DB_PREFIX."link set count = count + 1 where id = ".$link_item['id']); $url = "http://".$url; } else { $url = APP_ROOT."/"; } app_redirect($url); }
url参数未做过滤直接带入数据库 导致sql注入
修复方案:
过滤
|
自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习
京ICP备14009008号-1@版权所有www.zixuephp.com
网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com