我的网站上有一个区域,其中显示了一系列产品。这些可通过下拉菜单搜索,它使用数据库。不幸的是,已发现SQL注入,并且我已被要求解决任何漏洞。已标记为可疑/恶意的SQL查询在此处。我是SQL的新手所以不知道该找什么,有人可以帮忙吗?
------------------------------------------------------------
SELECT sale_item.*, manufacturer.name AS "mfr_name",
boom_type.name AS "boomType", lift_model.working_height,
lift_model.name AS "modelName", category.name AS
"category_name" FROM sale_item INNER JOIN manufacturer ON
sale_item.manufacturer_id = manufacturer.id INNER JOIN
lift_model ON sale_item.model_id = lift_model.id INNER JOIN
boom_type ON lift_model.boom_type_id = boom_type.id INNER
JOIN category ON lift_model.category_id = category.id WHERE
manufacturer.id = '-6380' OR (ORD(MID((SELECT
IFNULL(CAST(schema_name AS CHAR),0x20) FROM (SELECT
DISTINCT(schema_name) FROM INFORMATION_SCHEMA.SCHEMATA LIMIT
1,1) AS eifp),2,1))>64) AND 'PyIX'='PyIX' AND boom_type.id =
'4' LIMIT 0, 12
------------------------------------------------------------
SELECT sale_item.*, manufacturer.name AS "mfr_name",
boom_type.name AS "boomType", lift_model.working_height,
lift_model.name AS "modelName", category.name AS
"category_name" FROM sale_item INNER JOIN manufacturer ON
sale_item.manufacturer_id = manufacturer.id INNER JOIN
lift_model ON sale_item.model_id = lift_model.id INNER JOIN
boom_type ON lift_model.boom_type_id = boom_type.id INNER
JOIN category ON lift_model.category_id = category.id WHERE
manufacturer.id = '-6380' OR (ORD(MID((SELECT
IFNULL(CAST(schema_name AS CHAR),0x20) FROM (SELECT
DISTINCT(schema_name) FROM INFORMATION_SCHEMA.SCHEMATA LIMIT
1,1) AS eifp),2,1))>77) AND 'PyIX'='PyIX' AND boom_type.id =
'4' LIMIT 0, 12
**编辑表格提交部分
<form action="hire-equipment.php5" method="get">
<div class="headings">Manufacturer</div>
<select id="manufacturer" name="manufacturer">
<option value="any">Any Manufacturer</option>
<?php
// Retrieve all the manufacturers and add to the pull-down menu.
$query = "SELECT id, name FROM manufacturer ORDER BY name ASC";
$tmpresult = mysqli_query ($dbc, $query);
while ($row = mysqli_fetch_array ($tmpresult, MYSQLI_ASSOC)) {
echo "<option value=\"{$row['id']}\">{$row['name']}</option>\n";
}
?>
</select>
<div class="headings">Type</div>
<select id="boom" name="boom">
<option value="any">Any Type</option>
<?php
// Retrieve all the boom types and add to the pull-down menu.
$query = "SELECT id, name FROM boom_type ORDER BY name ASC";
$tmpresult = mysqli_query ($dbc, $query);
while ($row = mysqli_fetch_array ($tmpresult, MYSQLI_ASSOC)) {
echo "<option value=\"{$row['id']}\">{$row['name']}</option>\n";
}
?>
</select>
<div class="headings">Power Source</div>
<select id="category" name="category">
<option value="any">Any Power Source</option>
<?php
// Retrieve all the categories and add to the pull-down menu.
$query = "SELECT id, name FROM category ORDER BY name ASC";
$tmpresult = mysqli_query ($dbc, $query);
while ($row = mysqli_fetch_array ($tmpresult, MYSQLI_ASSOC)) {
echo "<option value=\"{$row['id']}\">{$row['name']}</option>\n";
}
?>
</select>
<div class="headings">Working Height </div>
<select id="working_height" name="working_height">
<option value="0">Any Height</option>
<option value="1">up to 10m</option>
<option value="2">11m > 20</option>
<option value="3">Above 21</option>
</select>
<div class="headings">Price</div>
<select id="price" name="price">
<option value="ASC">Low > High</option>
<option value="DESC">High > Low</option>
</select>
<div class="headings">Search</div>
<input name="search" type="text" size="20" />
</div>
<div id="findmachine">
<input type="hidden" name="submitted" value="TRUE" />
<input src="../images/submit.png" type='image' value="Update Results" />
</div>
</form>
**结束编辑表格提交
if (isset($_GET['submitted'])) { // Check if the form has been submitted.
$searches = 'manufacturer=' . $_GET['manufacturer'] . '&boom=' . $_GET['boom'] . '&category=' . $_GET['category'] . '&working_height=' . $_GET['working_height'] . '&price=' . $_GET['price'] . '&submitted=TRUE';
$query = "SELECT sale_item.*, manufacturer.name AS \"mfr_name\", boom_type.name AS \"boomType\", lift_model.working_height, lift_model.name AS \"modelName\", category.name AS \"category_name\" FROM sale_item INNER JOIN manufacturer ON sale_item.manufacturer_id = manufacturer.id INNER JOIN lift_model ON sale_item.model_id = lift_model.id INNER JOIN boom_type ON lift_model.boom_type_id = boom_type.id INNER JOIN category ON lift_model.category_id = category.id";
if (isset($_GET['manufacturer'])) {
$mfr = $_GET['manufacturer'];
if ($mfr != "any") {
$whereclause .= " manufacturer.id = '$mfr'";
}
}
if (isset($_GET['category'])) {
$cat = $_GET['category'];
if ($cat != "any") {
if ($whereclause)
$whereclause .= " AND ";
$whereclause .= "category.id = '$cat'";
}
}
if (isset($_GET['boom'])) {
$boom = $_GET['boom'];
if ($boom != "any") {
if ($whereclause)
$whereclause .= " AND ";
$whereclause .= "boom_type.id = '$boom'";
}
}
if (isset($_GET['year'])) {
$year = $_GET['year'];
if ($year != "any") {
if ($whereclause)
$whereclause .= " AND ";
$whereclause .= "sale_item.mf_year = $year";
}
}
if (isset($_GET['working_height'])) {
$wh = $_GET['working_height'];
switch ($wh) {
case 1: $whu = 10; $whl = 1;
break;
case 2: $whu = 20; $whl = 11;
break;
case 3: $whu = 1000; $whl = 21;
break;
}
if ($whl && $whu) {
if ($whereclause)
$whereclause .= " AND ";
$whereclause .= "lift_model.working_height >= $whl AND lift_model.working_height <= $whu";
}
}
if (isset($_GET['search']) && (strlen($_GET['search']) > 0)) {
$search = escape_data($_GET['search']);
if ($whereclause)
$whereclause .= " OR ";
$whereclause .= "manufacturer.name LIKE '%$search%' OR boom_type.name LIKE '%$search%' OR category.name LIKE '%$search%' OR lift_model.name LIKE '%$search%'";
}
if ($whereclause)
$query = $query . " WHERE " . $whereclause;
if (isset($_GET['price'])) {
$post = $_GET['price'];
$query .= " ORDER BY sale_item.price_pounds $post ";
}
// Determine how many pages there are.
if (isset($_GET['np'])) { // Already been determined.
$num_pages = $_GET['np'];
} else { // Need to determine.
// Count the number of records
$tmpresult = @mysqli_query ($dbc, $query);
$num_records = mysqli_num_rows ($tmpresult);
mysqli_free_result ($tmpresult); // Free up the resources.
// Calculate the number of pages.
if ($num_records > $display) { // More than 1 page.
$num_pages = ceil ($num_records/$display);
} else {
$num_pages = 1;
}
}
// Determine where in the database to start returning results.
if (isset($_GET['s'])) {
$start = $_GET['s'];
} else {
$start = 0;
}
$query .= " LIMIT $start, $display";
//echo '<h2>' . $row['boomType'] . '</h2>';
//echo "$query<br />";
} else {
$searches = null;
// Determine how many pages there are.
if (isset($_GET['np'])) { // Already been determined.
$num_pages = $_GET['np'];
} else { // Need to determine.
// Count the number of records
$query = "SELECT COUNT(*) FROM sale_item";
$tmpresult = @mysqli_query ($dbc, $query);
$row = mysqli_fetch_array ($tmpresult, MYSQLI_NUM);
$num_records = $row[0];
mysqli_free_result ($tmpresult); // Free up the resources.
// Calculate the number of pages.
if ($num_records > $display) { // More than 1 page.
$num_pages = ceil ($num_records/$display);
} else {
$num_pages = 1;
}
}
//echo "there were $num_records records and the number of pages is $num_pages<br />\n";
// Determine where in the database to start returning results.
if (isset($_GET['s'])) {
$start = $_GET['s'];
} else {
$start = 0;
}
// pull them all
$query = "SELECT sale_item.*, manufacturer.name AS \"mfr_name\", boom_type.name AS \"boomType\", lift_model.name AS \"modelName\", lift_model.working_height, category.name AS \"category_name\" FROM sale_item JOIN manufacturer ON sale_item.manufacturer_id = manufacturer.id JOIN lift_model ON sale_item.model_id = lift_model.id JOIN boom_type ON lift_model.boom_type_id = boom_type.id JOIN category ON lift_model.category_id = category.id LIMIT $start, $display";
}
echo '<div class="clear"></div>';
//echo "$query<br />\n";
$result = @mysqli_query ($dbc, $query);
if (!$result) {
echo "<p><font color=\"red\">It's all gone pear-shaped. Sorry :-(</font></p><br />";
echo "$query<br />\n";
mysqli_close($dbc); // Close the database connection.
die;
}
$total_records = mysqli_num_rows ($result);
答案 0 :(得分:0)
在担心MySQL注入之前,您的代码需要显示提供的数据在何处以及如何输入/发送到数据库。
您的代码中无法看到任何内容。
例如:(假设您从表格/问卷中收集用户的数据)
warning我在PHP代码中没有看到这一点。
请向我们展示,以便我们更好地为您提供帮助