Fatal编程技术网
  • php/
  • Php_GET方法作为准备语句

Php_GET方法作为准备语句

php mysql

Php_GET方法作为准备语句,php,mysql,mysqli,Php,Mysql,Mysqli,我正在尝试修补现有网站上的所有SQL注入漏洞 我的一个php文件在三元运算符中使用了_GET方法 details.php: <?php $_SERVER['DOCUMENT_ROOT']="."; include_once($_SERVER['DOCUMENT_ROOT'].'/include/CHtml.php'); include_once($_SERVER['DOCUMENT_ROOT'].'/include/CExtra.php'); include_once($_SERVER['

我正在尝试修补现有网站上的所有SQL注入漏洞

我的一个php文件在三元运算符中使用了_GET方法

details.php:

<?php
$_SERVER['DOCUMENT_ROOT']=".";
include_once($_SERVER['DOCUMENT_ROOT'].'/include/CHtml.php');
include_once($_SERVER['DOCUMENT_ROOT'].'/include/CExtra.php');
include_once($_SERVER['DOCUMENT_ROOT'].'/include/CDetailMenu.php');
include_once($_SERVER['DOCUMENT_ROOT'].'/include/CDetail.php');
//include 'ChromePhp.php';

// Get Html Page Header
GetPageHeader();
GetTopMenu();

// Get Html Page Body
$menu_js = '';
$img_pd_header = '';

$did = (isset($_GET['did'])) ? $_GET['did'] : 0 ;
$mid = (isset($_GET['mid'])) ? $_GET['mid'] : 0 ;

$menu_html = (isset($_GET['gid'])) ? GetDetailMenu($_GET['gid']) : GetDetailMenu($_GET['mid']);
$detail_html = GetDetailContent($_GET['mid'], $did);

GetPageBody($menu_html, $detail_html);

if ($mid == 10) 
    $menu_js .= '
        $(\'#gallery a\').lightBox();
';

// Get Html Page Footer
GetPageFooter(false, $menu_js);

?>
SQL注入每次都会出现:(

在这种情况下,最简单、侵入性最小的方法可能是将ID转换为整数(代码也会这样做,但在我看来更具可读性):

如果您使用的是预先准备好的语句,那么很少有理由手动转义。现在还不清楚“仅用于_GET命令”是什么意思。您有一个看起来不错的语句。使用它有什么问题吗?通常您只需调用
bind_param
,将
$\u GET
变量作为绑定的值。SQL中使用的
GET
在哪里?记住当使用三元时,最好的计划是将重复保持在最低限度:
GetDetailMenu($\u-GET[isset($\u-GET['gid'])?'gid':'mid'])
更加紧凑,应该可以做到这一点。您有时也可以使用
GetDetailMenu($\u-GET['gid']|$\u-GET['mid'])
如果设置时这些值在逻辑上都为true。@chris85原始语句如下:$sql='selectpid FROM menu WHERE MID='。$gid;好的,那么在这种情况下,用占位符替换
$gid
,然后绑定参数。开始时,
$dbh->prepare(“selectpid FROM menu WHERE MID=?”
看起来是正确的。您以后会绑定它吗?还是只有这些?强制转换似乎不起作用。我为GetDetailMenu()函数获取了正确的参数,但是此时已经发生SQL注入。我相信它可能正在
isset($\u get['mid])中执行
在if语句中。这是不可能的。根据定义,SQL注入只能在SQL查询中使用。我能想到的唯一解释是GET参数也用于其他地方。@steffensq您得到的SQL注入是什么?更新数据、公开凭据、删除数据等。@chris85公开凭据。

<?php
include_once($_SERVER['DOCUMENT_ROOT'].'/include/CDataSet.php');
include 'config.php';
//include 'ChromePhp.php';

function GetDetailMenu($gid) {
    global $menu_js;
    global $DB;

    $dbh= new mysqli($DB->host,$DB->user,$DB->pass,$DB->database);
    if ($dbh->connect_errno) {
            echo "Failed to connect to MySQL: (" . $dbh->connect_errno . ") " . $dbh->connect_error;
    }

    $cid = 0;
    $dataset = new CDataSet();

    if ($gid > 0) {
        //$sql = 'SELECT PID FROM menu WHERE MID = '.$gid;      // Old SQL Statement
        // Prepared statement, stage 1: prepare 
        if (!($sqlstmt = $dbh->prepare("SELECT PID FROM menu WHERE MID = ?"))) {
                echo "Prepare failed: (" . $dbh->errno . ") " . $dbh->error;
        }

        /* Prepared statement, stage 2: bind and execute */
        if (!$sqlstmt->bind_param('i',$gid)) {
                echo "Binding parameters failed: (" . $sqlstmt->errno . ") " . $sqlstmt->error;
        }

        if (!$sqlstmt->execute()) {
                echo "Execute failed: (" . $sqlstmt->errno . ") " . $sqlstmt->error;
        }

        $ds = $dataset->GetFirstRecord($sql);
        $cid = $ds['PID'];
    }

    $sql = 'SELECT FST_ID, '.GetFieldName('FST_NAME').', SND_ID, '.GetFieldName('SND_NAME').', TRD_ID, '.GetFieldName('TRD_NAME').', IMG_FILE, IS_PRODUCT, '.
        'SND_FILE, SND_FILENAME, TRD_FILE, TRD_FILENAME '.
        'FROM view_menu';

    $dlmenu = $dataset->GetDataSet($sql);
    $dataset = null;

    $menu_html = '
<div style="float: left; padding-left: 22px;" id="my_menu" class="sdmenu">';
    $mid = 0;
    $idx = 0;
    foreach($dlmenu as $key=>$value) {
        if (!($value['IS_PRODUCT'])) {
            if ($mid <> $value['FST_ID']) {
                if ($mid > 0) $menu_html .= '
    </div>';
                $menu_html .= '
    <div class="collapsed">
    <span>'.stripslashes($value['FST_NAME']).'</span>';
                $mid = $value['FST_ID'];
                if ($mid == $cid) {
                    $img_pd_header = $value['IMG_FILE'];
                    $menu_js = '
        var expendMenu = myMenu.submenus['.$idx.'];
        myMenu.expandMenu(expendMenu);      // Expand a submenu
';
                }
                ++$idx;
            }
            if ($value['TRD_ID'] == '') {
                if ($value['SND_FILE'])
                    $menu_html .= '
        <a href="images/menu/'.urldecode($value['SND_FILENAME']).'" target="_doc">&nbsp;<img src="./images/dot.gif">&nbsp;&nbsp;'.stripslashes($value['SND_NAME']).'</a>';
                else
                    $menu_html .= '
        <a href="'.parse_url_query('detail.php?mid='.$value['SND_ID']).'">&nbsp;<img src="./images/dot.gif">&nbsp;&nbsp;'.stripslashes($value['SND_NAME']).'</a>';
            } else {
                if ($value['TRD_FILE'])
                    $menu_html .= '
        <a href="images/menu/'.urldecode($value['TRD_FILENAME']).'" target="_doc">&nbsp;<img src="./images/dot.gif">&nbsp;&nbsp;>&nbsp;&nbsp;'.stripslashes($value['TRD_NAME']).'</a>';
                else
                    $menu_html .= '
        <a href="'.parse_url_query('detail.php?mid='.$value['TRD_ID'].'&gid='.$value['SND_ID']).'">&nbsp;<img src="./images/dot.gif">&nbsp;&nbsp;>&nbsp;&nbsp;'.stripslashes($value['TRD_NAME']).'</a>';
            }
        }
    }
    $menu_html .= '
    </div>
</div>';
    return Chinese_TradToSimp($menu_html);
}
?>



if (isset($_GET['mid']))
    $mid = mysqli_real_escape_string($dbh, $_GET['mid']);
else
    $mid = 0;



<?php
$id = (isset($_GET['gid'])) ? intval($_GET['gid']) : 0 ;
if ($id == 0 && isset($_GET['mid'])) {
    $id = intval($_GET['mid']);
}

$menu_html = GetDetailMenu($id);