Warning: file_get_contents(/data/phpspider/zhask/data//catemap/1/php/298.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Php SiteLockSQL注入&;XSS扫描失败_Php_Security_Xss_Sql Injection - Fatal编程技术网
Fatal编程技术网
  • php/
  • Php SiteLockSQL注入&;XSS扫描失败

Php SiteLockSQL注入&;XSS扫描失败

php security

Php SiteLockSQL注入&;XSS扫描失败,php,security,xss,sql-injection,Php,Security,Xss,Sql Injection,您好,我正在购买SiteLock,他们说我的站点SQL注入和XSS扫描失败 SQLInjection: 网址: 说明:注射点:GET;注入参数:id;注入类型:数字 XSS扫描:URL:描述:id 我不知道怎么收集,有人能帮我吗 下面是我的php函数从数据库中提取数据 function get_products_in_cat_page(){ $query = query(" SELECT * FROM products WHERE product_category_id = " . escap

您好,我正在购买SiteLock,他们说我的站点SQL注入和XSS扫描失败

SQLInjection: 网址: 说明:注射点:GET;注入参数:id;注入类型:数字

XSS扫描:URL:描述:id

我不知道怎么收集,有人能帮我吗

下面是我的php函数从数据库中提取数据

function get_products_in_cat_page(){

$query = query(" SELECT * FROM products WHERE product_category_id = " . escape_string($_GET['id']) . "  ");
confirm($query);

if(mysqli_num_rows($query) == 0) {

set_message("Will update soon the new products");

} else {

while($row = fetch_array($query)) {

$product_image = display_image($row['product_s_image1']);
$product_image2 = display_image($row['product_s_image2']);
if ($row['product_quantity'] < 1) {
    $outofstock = "<div class='sale-flash out-of-stock'>Out of Stock</div>";
} else {
    $outofstock = "";
}

$product = <<<DELIMETER

<div class="product clearfix" style="padding:8px;">
    <div class="product-image">
        <a href="product.php?id={$row['product_id']}"><img src="images/{$product_image}" alt="{$row['product_title']}" class="selected"></a>
        <a href="product.php?id={$row['product_id']}"><img src="images/{$product_image2}" alt="{$row['product_title']}"></a>
        {$outofstock}
        <div class="product-overlay">
            <a href="include/ajax/quick_view.php?id={$row['product_id']}" class="add-to-cart" data-lightbox="ajax"><i class="icon-shopping-cart"></i><span>Quick View</span></a>
            <a href="product.php?id={$row['product_id']}" class="item-view"><i class="icon-zoom-in2"></i><span> More info.</span></a>
        </div>
    </div>
    <div class="product-desc center">
        <a href="product.php?id={$row['product_id']}">
        <div class="product-title"><h3 style="font-size:15px;">{$row['product_title']}</h3></div>
        </a>
        <div class="product-price">&#36;{$row['product_price']}</div>
        <div class="product-rating">

        </div>
    </div>
</div>


DELIMETER;

echo $product;

} 
}


}

函数获取目录页()中的产品{
$query=query(“从产品中选择*,其中product_category_id=“.escape_string($_GET['id']))。”);
确认($query);
if(mysqli_num_rows($query)==0){
设置_消息(“将很快更新新产品”);
}否则{
while($row=fetch_数组($query)){
$product\U image=显示图像($row['product\U image1']);
$product\U image2=显示图像($row['product\U image2']);
如果($row['product_quantity']<1){
$outofstock=“缺货”;
}否则{
$outofstock=“”;
}

$product=mysqli\u real\u escape\u字符串效果更好,但在您的情况下,将$\u GET['id']改为整数就足够了


WHERE product_category_id = ".(int)$_GET['id']