我正在尝试修补现有网站上的所有SQL注入漏洞。
我的一个php文件在三元运算符中使用_GET方法。
details.php:
public class Cell{
public int positionX;
public int positionY;
public int valueOfCell = 0;
/*
Cell[][] array = new Cell[12][12];
for (int i = 0; i < 12; i++)
{
for (int j = 0; j < 12; j++) {
array[i][j] = new Cell(i, j);
}
}
*/
public Cell getCell() {
}
public void setCell(Cell object,int Nvalue) {
object.valueOfCell=Nvalue;
}
}
将此值传递给另一个php文件中的函数,以用于构造SQL语句。
detailmenu.php:
<?php
$_SERVER['DOCUMENT_ROOT']=".";
include_once($_SERVER['DOCUMENT_ROOT'].'/include/CHtml.php');
include_once($_SERVER['DOCUMENT_ROOT'].'/include/CExtra.php');
include_once($_SERVER['DOCUMENT_ROOT'].'/include/CDetailMenu.php');
include_once($_SERVER['DOCUMENT_ROOT'].'/include/CDetail.php');
//include 'ChromePhp.php';
// Get Html Page Header
GetPageHeader();
GetTopMenu();
// Get Html Page Body
$menu_js = '';
$img_pd_header = '';
$did = (isset($_GET['did'])) ? $_GET['did'] : 0 ;
$mid = (isset($_GET['mid'])) ? $_GET['mid'] : 0 ;
$menu_html = (isset($_GET['gid'])) ? GetDetailMenu($_GET['gid']) : GetDetailMenu($_GET['mid']);
$detail_html = GetDetailContent($_GET['mid'], $did);
GetPageBody($menu_html, $detail_html);
if ($mid == 10)
$menu_js .= '
$(\'#gallery a\').lightBox();
';
// Get Html Page Footer
GetPageFooter(false, $menu_js);
?>
我可以在detailmenu.php下创建一个预准备语句并验证结果,但我不知道如何只为_GET命令创建一个预准备语句。我已经看到的示例显示它是在bind_params()函数中启动的,但是我没有要绑定的关联语句。关于如何实现这一目标的任何想法?
要添加,我还尝试使用real_escape_string()函数没有成功。
<?php
include_once($_SERVER['DOCUMENT_ROOT'].'/include/CDataSet.php');
include 'config.php';
//include 'ChromePhp.php';
function GetDetailMenu($gid) {
global $menu_js;
global $DB;
$dbh= new mysqli($DB->host,$DB->user,$DB->pass,$DB->database);
if ($dbh->connect_errno) {
echo "Failed to connect to MySQL: (" . $dbh->connect_errno . ") " . $dbh->connect_error;
}
$cid = 0;
$dataset = new CDataSet();
if ($gid > 0) {
//$sql = 'SELECT PID FROM menu WHERE MID = '.$gid; // Old SQL Statement
// Prepared statement, stage 1: prepare
if (!($sqlstmt = $dbh->prepare("SELECT PID FROM menu WHERE MID = ?"))) {
echo "Prepare failed: (" . $dbh->errno . ") " . $dbh->error;
}
/* Prepared statement, stage 2: bind and execute */
if (!$sqlstmt->bind_param('i',$gid)) {
echo "Binding parameters failed: (" . $sqlstmt->errno . ") " . $sqlstmt->error;
}
if (!$sqlstmt->execute()) {
echo "Execute failed: (" . $sqlstmt->errno . ") " . $sqlstmt->error;
}
$ds = $dataset->GetFirstRecord($sql);
$cid = $ds['PID'];
}
$sql = 'SELECT FST_ID, '.GetFieldName('FST_NAME').', SND_ID, '.GetFieldName('SND_NAME').', TRD_ID, '.GetFieldName('TRD_NAME').', IMG_FILE, IS_PRODUCT, '.
'SND_FILE, SND_FILENAME, TRD_FILE, TRD_FILENAME '.
'FROM view_menu';
$dlmenu = $dataset->GetDataSet($sql);
$dataset = null;
$menu_html = '
<div style="float: left; padding-left: 22px;" id="my_menu" class="sdmenu">';
$mid = 0;
$idx = 0;
foreach($dlmenu as $key=>$value) {
if (!($value['IS_PRODUCT'])) {
if ($mid <> $value['FST_ID']) {
if ($mid > 0) $menu_html .= '
</div>';
$menu_html .= '
<div class="collapsed">
<span>'.stripslashes($value['FST_NAME']).'</span>';
$mid = $value['FST_ID'];
if ($mid == $cid) {
$img_pd_header = $value['IMG_FILE'];
$menu_js = '
var expendMenu = myMenu.submenus['.$idx.'];
myMenu.expandMenu(expendMenu); // Expand a submenu
';
}
++$idx;
}
if ($value['TRD_ID'] == '') {
if ($value['SND_FILE'])
$menu_html .= '
<a href="images/menu/'.urldecode($value['SND_FILENAME']).'" target="_doc"> <img src="./images/dot.gif"> '.stripslashes($value['SND_NAME']).'</a>';
else
$menu_html .= '
<a href="'.parse_url_query('detail.php?mid='.$value['SND_ID']).'"> <img src="./images/dot.gif"> '.stripslashes($value['SND_NAME']).'</a>';
} else {
if ($value['TRD_FILE'])
$menu_html .= '
<a href="images/menu/'.urldecode($value['TRD_FILENAME']).'" target="_doc"> <img src="./images/dot.gif"> > '.stripslashes($value['TRD_NAME']).'</a>';
else
$menu_html .= '
<a href="'.parse_url_query('detail.php?mid='.$value['TRD_ID'].'&gid='.$value['SND_ID']).'"> <img src="./images/dot.gif"> > '.stripslashes($value['TRD_NAME']).'</a>';
}
}
}
$menu_html .= '
</div>
</div>';
return Chinese_TradToSimp($menu_html);
}
?>
SQL注入每次都会出现:(
答案 0 :(得分:-2)
在这种情况下最容易和最不干扰的方式将ID转换为整数(代码执行相同,但在我看来更具可读性):
<?php
$id = (isset($_GET['gid'])) ? intval($_GET['gid']) : 0 ;
if ($id == 0 && isset($_GET['mid'])) {
$id = intval($_GET['mid']);
}
$menu_html = GetDetailMenu($id);
这是最好的解决方案吗?绝对不是,但它会完成工作。