-
- /**
- * Parameter filtering code
- * edit bbs.it-home.org
- */
- if (@get_magic_quotes_gpc ()) {
- $_GET = sec ( $_GET );
- $_POST = sec ( $_POST );
- $_COOKIE = sec ( $_COOKIE );
- $_FILES = sec ( $_FILES );
- }
- $_SERVER = sec ( $_SERVER );
- function sec(&$array) {
- //If it is an array, traverse the array and call it recursively
- if (is_array ( $array )) {
- foreach ( $array as $k => $v ) {
- $array [$k] = sec ( $v );
- }
- } else if (is_string ( $array )) {
- //Use the addslashes function to process
- $array = addslashes ( $array );
- } else if (is_numeric ( $array )) {
- $array = intval ( $array );
- }
- return $array;
- }
- ?>
1. Judgment of integer parameters
When the input parameter YY is an integer, usually the original SQL statement in abc.asp is roughly as follows:
select * from table name where field=YY, so you can use the following steps to test whether SQL injection exists.
①HTTP://xxx.xxx.xxx/abc.asp?p=YY’ (with a single quote attached), at this time the SQL statement in abc.ASP becomes
select * from table name where field=YY’, abc.asp runs abnormally;
②HTTP://xxx.xxx.xxx/abc.asp?p=YY and 1=1, abc.asp runs normally, and the results are the same as HTTP://xxx.xxx.xxx/abc.asp?p=YY ;
③HTTP://xxx.xxx.xxx/abc.asp?p=YY and 1=2, abc.asp runs abnormally;
If the above three steps are fully satisfied, there must be a SQL injection vulnerability in abc.asp.
An integer filter function, the code is as follows:
-
-
function num_check($id) { - if (! $id) {
- die ( 'Parameter cannot be empty!' );
- } // Whether it is empty Judgment
- else if (inject_check ( $id )) {
- die ( 'illegal parameter' );
- } // Injection judgment
- else if (! is_numetic ( $id )) {
- die ( 'illegal parameter' );
- }
- //Number judgment
- $id = intval ($id);
- //Integerization
- return $id;
- }
//Character filter function - function str_check($str ) {
- if (inject_check ( $str )) {
- die ( 'illegal parameter' );
- }
- //Injection judgment
- $str = htmlspecialchars ( $str );
- //Convert html
- return $str;
- }
- function search_check($str) {
- $str = str_replace ( "_", "_", $str );
- //Filter out "_"
- $str = str_replace ( "%", "%", $ str );
- //Filter out "%"
- $str = htmlspecialchars ( $str );
- //Convert html
- return $str;
- }
- //Form filter function
- function post_check($str, $min, $max) {
- if (isset ( $min ) && strlen ( $str ) < $min) {
- die ( 'minimum $min bytes' );
- } else if (isset ( $max ) && strlen ( $ str ) > $max) {
- die ( 'Up to $max bytes' );
- }
- return stripslashes_array ( $str );
- }
- ?>
-
When the input parameter YY is a string, usually the original SQL statement in abc.asp is roughly as follows:
select * from table name where field='YY', so you can use the following steps to test whether SQL injection exists.
①HTTP://xxx.xxx.xxx/abc.asp?p=YY’ (with a single quote attached), at this time the SQL statement in abc.ASP becomes
select * from table name where field=YY’, abc.asp runs abnormally;
②HTTP://xxx.xxx.xxx/abc.asp?p=YY&;nb … 39;1'='1', abc.asp runs normally and is the same as HTTP://xxx.xxx.xxx/abc.asp ?p=YY has the same running results;
③HTTP://xxx.xxx.xxx/abc.asp?p=YY&;nb … 39;1'='2', abc.asp runs abnormally;
If the above three steps are fully satisfied, there must be a SQL injection vulnerability in abc.asp.
Attach a function to prevent sql injection:
-
- //Anti-injection function
- function inject_check($sql_str) {
- return eregi ( 'select|inert|update|delete|'|/*|*|../|./ |UNION|into|load_file|outfile', $sql_str );
- // Filter to prevent injection into bbs.it-home.org
- }
- function stripslashes_array(&$array) {
- if (is_array ( $array )) {
- foreach ( $array as $k => $v ) {
- $array [$k] = stripslashes_array ( $v );
- }
- } else if (is_string ( $array )) {
- $array = stripslashes ( $ array );
- }
- return $array;
- }
- ?>
| 