来源:自学PHP网 时间:2015-04-15 15:00 作者: 阅读:次
[导读] include fun_personal php(346-373)$resume_work=get_resume_work($uid,$pid);$resume_training=get_resume_training($uid,$pid);$resume_photo=$resume_basic[ 39;photo_img 39;];if (!empty($resume_work)...
/include/fun_personal.php(346-373)
$resume_work=get_resume_work($uid,$pid); $resume_training=get_resume_training($uid,$pid); $resume_photo=$resume_basic['photo_img']; if (!empty($resume_work))$percent=$percent+13; if (!empty($resume_training))$percent=$percent+13; if (!empty($resume_photo))$percent=$percent+14; $setsqlarr['complete']=1; $setsqlarr['complete_percent']=$percent; require_once(QISHI_ROOT_PATH.'include/splitword.class.php'); $sp = new SPWord(); $setsqlarr['key']=$resume_basic['intention_jobs'].$resume_basic['recentjobs'].$resume_basic['specialty']; echo $setsqlarr['key']."<br>"; $setsqlarr['key']="{$resume_basic['fullname']} ".$sp->extracttag($setsqlarr['key']); $setsqlarr['key']=str_replace(","," ",$resume_basic['intention_jobs'])." {$setsqlarr['key']} {$resume_basic['education_cn']}"; $setsqlarr['key']=$sp->pad($setsqlarr['key']); if (!empty($resume_education)) { foreach($resume_education as $li) { $setsqlarr['key']="{$li['school']} {$setsqlarr['key']} {$li['speciality']}"; } } $setsqlarr['refreshtime']=$timestamp; } updatetable(table('resume'),$setsqlarr,"uid='{$uid}' AND id='{$pid}'");
当执行到$resume_work=get_resume_work($uid,$pid); 然后执行到$setsqlarr['key']=$sp->pad($setsqlarr['key']);对此之前存入数据库的数据原封不动的获取出来,当数据流向updatetable(table('resume'),$setsqlarr,"uid='{$uid}' AND id='{$pid}'");故而触发sql注入漏洞
具体发送请求如图所示:
根据此逻辑过程,完全就变成一个最为普通的sql注入了,所以读者可以想干什么,就干什么
修复方案:
在get_resume_work这个函数返回时候做转义
或者在$sp->pad函数返回时候做转义即可
|
自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习
京ICP备14009008号-1@版权所有www.zixuephp.com
网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com