Home  >  Article  >  Backend Development  >  PHP魔术引号所带来的安全问题分析_PHP

PHP魔术引号所带来的安全问题分析_PHP

WBOY
WBOYOriginal
2016-06-01 11:51:51909browse

PHP通过提取魔术引号产生的“\”字符会带来一定的安全问题,例如下面这段代码片段:

// foo.php?xigr='ryat
function daddslashes($string, $force = 0) {
!defined('MAGIC_QUOTES_GPC') && define('MAGIC_QUOTES_GPC', get_magic_quotes_gpc());
if(!MAGIC_QUOTES_GPC || $force) {
if(is_array($string)) {
foreach($string as $key => $val) {
$string[$key] = daddslashes($val, $force);
}
} else {
$string = addslashes($string);
}
}
return $string;
}
...
foreach(array('_COOKIE', '_POST', '_GET') as $_request) {
foreach($$_request as $_key => $_value) {
$_key{0} != '_' && $$_key = daddslashes($_value);
}
}
echo $xigr['hi'];
// echo \

上面的代码原本期望得到一个经过daddslashes()安全处理后的数组变量$xigr['hi'],但是没有对变量$xigr做严格的类型规定,当我们提交一个字符串变量$xigr='ryat,经过上面的处理变为\'ryat,到最后$xigr['hi']就会输出\,如果这个变量引入到SQL语句,那么就会引起严重的安全问题了,对此再来看下面的代码片段:

...
if($xigr) {
foreach($xigr as $k => $v) {
$uids[] = $v['uid'];
}
$query = $db->query("SELECT uid FROM users WHERE uid IN ('".implode("','", $uids)."')");

利用上面提到的思路,通过提交foo.php?xigr[]='&xigr[][uid]=evilcode这样的构造形式可以很容易的突破GPC或类似的安全处理,形成SQL注射漏洞!对此应给与足够的重视!

Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn