[英]Help with a MySQL query
我被问到一个问题,但是我什至无法开始回答,所以有人可以给我一个想法,就是开始如何回答这个问题,
我不是在寻找答案,而只是在教一些如何回答它
开始:
假设“ regsister_globals”和“ magic_quotes_gpc”已打开,那么这段代码有什么问题? 记录可能的漏洞,然后修复以产生安全版本(存在4个错误)
$p = $_GET["p"];
if ($sp == "index.php") {
if ($_get["id"] == 345)
$filter - addslashes($_get["id"]);
$sql = "SELECT * FROM users WHERE id = {$filter}";
$row - mydql_fetch_assoc(mysql_query($sql));
echo <<< HTML
<html>
...... user details .....
</html>
HTML.
} else
include ($p);
搜寻“ SQL注入”和“输入验证”应该可以帮助您入门。
考虑到环境,
“假设“ regsister_globals ”和“ magic_quotes_gpc ”已打开”
我相信这种情况是要教会您这两种设置的风险。
与上面提到的php指令结合使用时,被剪切的代码实际上有4个错误与“永远不要信任来自脚本外部的任何信息”有关。
(不仅有4个错误,还有很多其他错误;有两个“ -
”应为“ =
”,而小写的“ _get
”应为大写等),但我猜这是只是错别字。)
这应该使您开始:
漏洞1:register_globals应该关闭-这是安全隐患。
$p = $_GET["p"];
// Where does $sp come from?
if ($sp == "index.php") {
// What the hell? So much wrong with these two lines
// 1. if id == 345 you don't need to addslashes
// 2. "-" should be "="
// 3. addslashes should be mysql_real_escape_string
// 4. the if() should be removed so it runs every time
if ($_get["id"] == 345)
$filter - addslashes($_get["id"]);
// SQL injection
$sql = "SELECT * FROM users WHERE id = {$filter}";
// Again with the "-" instead of "="
// Typo in the function name
// No error checking
$row - mydql_fetch_assoc(mysql_query($sql));
// No escaping of database input - vulnerable to XSS attacks
echo <<< HTML
<html>
...... user details .....
</html>
HTML. // Should be ; not .
} else
{
// I can include /etc/passwd by manipulating the URL
include ($p);
}
该代码容易受到SQL注入的攻击,因为用户数据无法转义。 使用mysql_real_escape_string
mydql_fetch_assoc应该是mysql_fetch_assoc
尝试这个:
<?php
$p = $_GET["p"];
if ($p == "index.php" && $_get["id"] == 345) {
$filter = mysql_real_escape_string($_get["id"]);
$sql = "SELECT * FROM users WHERE id = {$filter}";
$row = mysql_fetch_assoc(mysql_query($sql));
?>
<html>
...... user details .....
</html>
<?php
}
else if (strpos($p, '../')===false && file_exists($p)) {
include $p;
}
?>
<?php
$allow_includes = array(
'some1', 'some2'
);
$p = $_GET["p"];
if ($p == "index.php") {
if ($_GET["id"] == 345) {
$filter = mysql_real_escape_string($_GET["id"]);
}
$sql = "SELECT * FROM users WHERE id = '{$filter}'";
$row = mysql_fetch_assoc(mysql_query($sql));
?>
HTML.
<?php
}
elseif ( in_array($p, $allow_includes) ) {
include ($p);
}
else {
echo "Error 404";
}
?>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.