[英]Help with a MySQL query
我被問到一個問題,但是我什至無法開始回答,所以有人可以給我一個想法,就是開始如何回答這個問題,
我不是在尋找答案,而只是在教一些如何回答它
開始:
假設“ regsister_globals”和“ magic_quotes_gpc”已打開,那么這段代碼有什么問題? 記錄可能的漏洞,然后修復以產生安全版本(存在4個錯誤)
$p = $_GET["p"];
if ($sp == "index.php") {
if ($_get["id"] == 345)
$filter - addslashes($_get["id"]);
$sql = "SELECT * FROM users WHERE id = {$filter}";
$row - mydql_fetch_assoc(mysql_query($sql));
echo <<< HTML
<html>
...... user details .....
</html>
HTML.
} else
include ($p);
搜尋“ SQL注入”和“輸入驗證”應該可以幫助您入門。
考慮到環境,
“假設“ regsister_globals ”和“ magic_quotes_gpc ”已打開”
我相信這種情況是要教會您這兩種設置的風險。
與上面提到的php指令結合使用時,被剪切的代碼實際上有4個錯誤與“永遠不要信任來自腳本外部的任何信息”有關。
(不僅有4個錯誤,還有很多其他錯誤;有兩個“ -
”應為“ =
”,而小寫的“ _get
”應為大寫等),但我猜這是只是錯別字。)
這應該使您開始:
漏洞1:register_globals應該關閉-這是安全隱患。
$p = $_GET["p"];
// Where does $sp come from?
if ($sp == "index.php") {
// What the hell? So much wrong with these two lines
// 1. if id == 345 you don't need to addslashes
// 2. "-" should be "="
// 3. addslashes should be mysql_real_escape_string
// 4. the if() should be removed so it runs every time
if ($_get["id"] == 345)
$filter - addslashes($_get["id"]);
// SQL injection
$sql = "SELECT * FROM users WHERE id = {$filter}";
// Again with the "-" instead of "="
// Typo in the function name
// No error checking
$row - mydql_fetch_assoc(mysql_query($sql));
// No escaping of database input - vulnerable to XSS attacks
echo <<< HTML
<html>
...... user details .....
</html>
HTML. // Should be ; not .
} else
{
// I can include /etc/passwd by manipulating the URL
include ($p);
}
該代碼容易受到SQL注入的攻擊,因為用戶數據無法轉義。 使用mysql_real_escape_string
mydql_fetch_assoc應該是mysql_fetch_assoc
嘗試這個:
<?php
$p = $_GET["p"];
if ($p == "index.php" && $_get["id"] == 345) {
$filter = mysql_real_escape_string($_get["id"]);
$sql = "SELECT * FROM users WHERE id = {$filter}";
$row = mysql_fetch_assoc(mysql_query($sql));
?>
<html>
...... user details .....
</html>
<?php
}
else if (strpos($p, '../')===false && file_exists($p)) {
include $p;
}
?>
<?php
$allow_includes = array(
'some1', 'some2'
);
$p = $_GET["p"];
if ($p == "index.php") {
if ($_GET["id"] == 345) {
$filter = mysql_real_escape_string($_GET["id"]);
}
$sql = "SELECT * FROM users WHERE id = '{$filter}'";
$row = mysql_fetch_assoc(mysql_query($sql));
?>
HTML.
<?php
}
elseif ( in_array($p, $allow_includes) ) {
include ($p);
}
else {
echo "Error 404";
}
?>
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.