Php_GET方法作为准备语句
我正在尝试修补现有网站上的所有SQL注入漏洞 我的一个php文件在三元运算符中使用了_GET方法 details.php:Php_GET方法作为准备语句,php,mysql,mysqli,Php,Mysql,Mysqli,我正在尝试修补现有网站上的所有SQL注入漏洞 我的一个php文件在三元运算符中使用了_GET方法 details.php: <?php $_SERVER['DOCUMENT_ROOT']="."; include_once($_SERVER['DOCUMENT_ROOT'].'/include/CHtml.php'); include_once($_SERVER['DOCUMENT_ROOT'].'/include/CExtra.php'); include_once($_SERVER['
<?php
$_SERVER['DOCUMENT_ROOT']=".";
include_once($_SERVER['DOCUMENT_ROOT'].'/include/CHtml.php');
include_once($_SERVER['DOCUMENT_ROOT'].'/include/CExtra.php');
include_once($_SERVER['DOCUMENT_ROOT'].'/include/CDetailMenu.php');
include_once($_SERVER['DOCUMENT_ROOT'].'/include/CDetail.php');
//include 'ChromePhp.php';
// Get Html Page Header
GetPageHeader();
GetTopMenu();
// Get Html Page Body
$menu_js = '';
$img_pd_header = '';
$did = (isset($_GET['did'])) ? $_GET['did'] : 0 ;
$mid = (isset($_GET['mid'])) ? $_GET['mid'] : 0 ;
$menu_html = (isset($_GET['gid'])) ? GetDetailMenu($_GET['gid']) : GetDetailMenu($_GET['mid']);
$detail_html = GetDetailContent($_GET['mid'], $did);
GetPageBody($menu_html, $detail_html);
if ($mid == 10)
$menu_js .= '
$(\'#gallery a\').lightBox();
';
// Get Html Page Footer
GetPageFooter(false, $menu_js);
?>
SQL注入每次都会出现:(在这种情况下,最简单、侵入性最小的方法可能是将ID转换为整数(代码也会这样做,但在我看来更具可读性):
如果您使用的是预先准备好的语句,那么很少有理由手动转义。现在还不清楚“仅用于_GET命令”是什么意思。您有一个看起来不错的语句。使用它有什么问题吗?通常您只需调用bind_param
,将$\u GET
变量作为绑定的值。SQL中使用的GET
在哪里?记住当使用三元时,最好的计划是将重复保持在最低限度:GetDetailMenu($\u-GET[isset($\u-GET['gid'])?'gid':'mid'])
更加紧凑,应该可以做到这一点。您有时也可以使用GetDetailMenu($\u-GET['gid']|$\u-GET['mid'])
如果设置时这些值在逻辑上都为true。@chris85原始语句如下:$sql='selectpid FROM menu WHERE MID='。$gid;好的,那么在这种情况下,用占位符替换$gid
,然后绑定参数。开始时,$dbh->prepare(“selectpid FROM menu WHERE MID=?”
看起来是正确的。您以后会绑定它吗?还是只有这些?强制转换似乎不起作用。我为GetDetailMenu()函数获取了正确的参数,但是此时已经发生SQL注入。我相信它可能正在isset($\u get['mid])中执行
在if语句中。这是不可能的。根据定义,SQL注入只能在SQL查询中使用。我能想到的唯一解释是GET参数也用于其他地方。@steffensq您得到的SQL注入是什么?更新数据、公开凭据、删除数据等。@chris85公开凭据。
<?php
include_once($_SERVER['DOCUMENT_ROOT'].'/include/CDataSet.php');
include 'config.php';
//include 'ChromePhp.php';
function GetDetailMenu($gid) {
global $menu_js;
global $DB;
$dbh= new mysqli($DB->host,$DB->user,$DB->pass,$DB->database);
if ($dbh->connect_errno) {
echo "Failed to connect to MySQL: (" . $dbh->connect_errno . ") " . $dbh->connect_error;
}
$cid = 0;
$dataset = new CDataSet();
if ($gid > 0) {
//$sql = 'SELECT PID FROM menu WHERE MID = '.$gid; // Old SQL Statement
// Prepared statement, stage 1: prepare
if (!($sqlstmt = $dbh->prepare("SELECT PID FROM menu WHERE MID = ?"))) {
echo "Prepare failed: (" . $dbh->errno . ") " . $dbh->error;
}
/* Prepared statement, stage 2: bind and execute */
if (!$sqlstmt->bind_param('i',$gid)) {
echo "Binding parameters failed: (" . $sqlstmt->errno . ") " . $sqlstmt->error;
}
if (!$sqlstmt->execute()) {
echo "Execute failed: (" . $sqlstmt->errno . ") " . $sqlstmt->error;
}
$ds = $dataset->GetFirstRecord($sql);
$cid = $ds['PID'];
}
$sql = 'SELECT FST_ID, '.GetFieldName('FST_NAME').', SND_ID, '.GetFieldName('SND_NAME').', TRD_ID, '.GetFieldName('TRD_NAME').', IMG_FILE, IS_PRODUCT, '.
'SND_FILE, SND_FILENAME, TRD_FILE, TRD_FILENAME '.
'FROM view_menu';
$dlmenu = $dataset->GetDataSet($sql);
$dataset = null;
$menu_html = '
<div style="float: left; padding-left: 22px;" id="my_menu" class="sdmenu">';
$mid = 0;
$idx = 0;
foreach($dlmenu as $key=>$value) {
if (!($value['IS_PRODUCT'])) {
if ($mid <> $value['FST_ID']) {
if ($mid > 0) $menu_html .= '
</div>';
$menu_html .= '
<div class="collapsed">
<span>'.stripslashes($value['FST_NAME']).'</span>';
$mid = $value['FST_ID'];
if ($mid == $cid) {
$img_pd_header = $value['IMG_FILE'];
$menu_js = '
var expendMenu = myMenu.submenus['.$idx.'];
myMenu.expandMenu(expendMenu); // Expand a submenu
';
}
++$idx;
}
if ($value['TRD_ID'] == '') {
if ($value['SND_FILE'])
$menu_html .= '
<a href="images/menu/'.urldecode($value['SND_FILENAME']).'" target="_doc"> <img src="./images/dot.gif"> '.stripslashes($value['SND_NAME']).'</a>';
else
$menu_html .= '
<a href="'.parse_url_query('detail.php?mid='.$value['SND_ID']).'"> <img src="./images/dot.gif"> '.stripslashes($value['SND_NAME']).'</a>';
} else {
if ($value['TRD_FILE'])
$menu_html .= '
<a href="images/menu/'.urldecode($value['TRD_FILENAME']).'" target="_doc"> <img src="./images/dot.gif"> > '.stripslashes($value['TRD_NAME']).'</a>';
else
$menu_html .= '
<a href="'.parse_url_query('detail.php?mid='.$value['TRD_ID'].'&gid='.$value['SND_ID']).'"> <img src="./images/dot.gif"> > '.stripslashes($value['TRD_NAME']).'</a>';
}
}
}
$menu_html .= '
</div>
</div>';
return Chinese_TradToSimp($menu_html);
}
?>
if (isset($_GET['mid']))
$mid = mysqli_real_escape_string($dbh, $_GET['mid']);
else
$mid = 0;
<?php
$id = (isset($_GET['gid'])) ? intval($_GET['gid']) : 0 ;
if ($id == 0 && isset($_GET['mid'])) {
$id = intval($_GET['mid']);
}
$menu_html = GetDetailMenu($id);