机房收费系统之结账BUG-Mysql Tutorial-php.cn

Home

Database

Mysql Tutorial

机房收费系统之结账BUG

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

Jun 07, 2016 pm 04:00 PM

bugcontentstatement

声明：以下内容只对将卡表和退卡表放在同一张表的同学适用！最近大家都已经开始做VB.NET机房收费系统重构版，在这里跟大家聊聊我在机房收费系统中发现的漏洞。在机房收费系统中有这样一个窗体--结账。个人认为结账的功能是：领导对操作员注册退卡进行结账

声明：以下内容只对将卡表和退卡表放在同一张表的同学适用！

最近大家都已经开始做VB.NET机房收费系统重构版，在这里跟大家聊聊我在机房收费系统中发现的漏洞。

在机房收费系统中有这样一个窗体--结账。个人认为结账的功能是：领导对操作员注册退卡进行结账，简单的说就是领导来收钱，如果你是一个操作员，每天充值退卡，你要知道你这段时间都赚了多少钱。

今天要说的重点就是卡表的结账！在结账中，有一个购卡，有一个退卡。也就是说，对于同一张卡，它注册后需要结账一次，退卡后也需要结账一次。

让我们来看看我数据库的卡表设计：

这里我们先不要纠结卡号是否为主键，每个字段的数据类型对不对。今天主要讲的是图中红色框框中的东西！如果你的注册和退卡在一张表中，如果你的卡表设计没有这四个字段，那么我可以很肯定的告诉你，你的结账有漏洞。

下面我们就来具体的说明为什么没有这四个字段就会有漏洞：

如图，一般大家的卡表设计都是这样，只有一个IsCheck字段和一个Handler字段。这样我们在结账的时候，如果有一张卡正在使用、未结账，然后我们就能在结账-购卡中把它查询出来。然后我们现在把它结账，这条记录的IsCheck字段就变成“已结账”，然后我们再对这张卡进行退卡操作！这时的退卡就没有结账，可是我们在结账-退卡中却查询不出来！这时为什么呢？现在我们来对比一下我们查询时使用的SQL语句：

结账-购卡：

select * from T_Card where IsCheck=&#39;未结账&#39; and handler=@handler

select * from T_Card where regitsterIsCheck=&#39;未结账&#39; and registerHandler=@handler

结账-退卡：

select * from T_Card where status=&#39;不使用&#39; and IsCheck=&#39;未结账&#39; and handler=@handler

select * from T_Card where status=&#39;不使用&#39; and logoutIsCheck=&#39;未结账&#39; and logoutHandler=@handler

通过对比这两条SQL语句，我们就能知道，如果结账-购卡的时候就把IsCheck字段改成“已结账”那么我们结账-退卡的时候就查不出来这条记录。

说完了registerIsCheck和logoutIsCheck字段的由来，下面再说说registerHandler和logoutHandler的由来：

如果我们的卡表里面只有一个Handler字段，那么如果我们在操作员1处购卡，在操作员2处退卡，那么该记录的Handler最后应该是谁呢？

通过以上的论述，相信大家对红色框中的四个字段的由来很信服了，如果大家还有什么不懂地方，可以找我私下讨论。

Statement

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

What are stored procedures in MySQL?May 01, 2025 am 12:27 AM

Stored procedures are precompiled SQL statements in MySQL for improving performance and simplifying complex operations. 1. Improve performance: After the first compilation, subsequent calls do not need to be recompiled. 2. Improve security: Restrict data table access through permission control. 3. Simplify complex operations: combine multiple SQL statements to simplify application layer logic.

How does query caching work in MySQL?May 01, 2025 am 12:26 AM

The working principle of MySQL query cache is to store the results of SELECT query, and when the same query is executed again, the cached results are directly returned. 1) Query cache improves database reading performance and finds cached results through hash values. 2) Simple configuration, set query_cache_type and query_cache_size in MySQL configuration file. 3) Use the SQL_NO_CACHE keyword to disable the cache of specific queries. 4) In high-frequency update environments, query cache may cause performance bottlenecks and needs to be optimized for use through monitoring and adjustment of parameters.

What are the advantages of using MySQL over other relational databases?May 01, 2025 am 12:18 AM

The reasons why MySQL is widely used in various projects include: 1. High performance and scalability, supporting multiple storage engines; 2. Easy to use and maintain, simple configuration and rich tools; 3. Rich ecosystem, attracting a large number of community and third-party tool support; 4. Cross-platform support, suitable for multiple operating systems.

How do you handle database upgrades in MySQL?Apr 30, 2025 am 12:28 AM

The steps for upgrading MySQL database include: 1. Backup the database, 2. Stop the current MySQL service, 3. Install the new version of MySQL, 4. Start the new version of MySQL service, 5. Recover the database. Compatibility issues are required during the upgrade process, and advanced tools such as PerconaToolkit can be used for testing and optimization.

What are the different backup strategies you can use for MySQL?Apr 30, 2025 am 12:28 AM

MySQL backup policies include logical backup, physical backup, incremental backup, replication-based backup, and cloud backup. 1. Logical backup uses mysqldump to export database structure and data, which is suitable for small databases and version migrations. 2. Physical backups are fast and comprehensive by copying data files, but require database consistency. 3. Incremental backup uses binary logging to record changes, which is suitable for large databases. 4. Replication-based backup reduces the impact on the production system by backing up from the server. 5. Cloud backups such as AmazonRDS provide automation solutions, but costs and control need to be considered. When selecting a policy, database size, downtime tolerance, recovery time, and recovery point goals should be considered.

What is MySQL clustering?Apr 30, 2025 am 12:28 AM

MySQLclusteringenhancesdatabaserobustnessandscalabilitybydistributingdataacrossmultiplenodes.ItusestheNDBenginefordatareplicationandfaulttolerance,ensuringhighavailability.Setupinvolvesconfiguringmanagement,data,andSQLnodes,withcarefulmonitoringandpe

How do you optimize database schema design for performance in MySQL?Apr 30, 2025 am 12:27 AM

Optimizing database schema design in MySQL can improve performance through the following steps: 1. Index optimization: Create indexes on common query columns, balancing the overhead of query and inserting updates. 2. Table structure optimization: Reduce data redundancy through normalization or anti-normalization and improve access efficiency. 3. Data type selection: Use appropriate data types, such as INT instead of VARCHAR, to reduce storage space. 4. Partitioning and sub-table: For large data volumes, use partitioning and sub-table to disperse data to improve query and maintenance efficiency.

How can you optimize MySQL performance?Apr 30, 2025 am 12:26 AM

TooptimizeMySQLperformance,followthesesteps:1)Implementproperindexingtospeedupqueries,2)UseEXPLAINtoanalyzeandoptimizequeryperformance,3)Adjustserverconfigurationsettingslikeinnodb_buffer_pool_sizeandmax_connections,4)Usepartitioningforlargetablestoi

See all articles