sql注入
前台
application\User\Controller\LoginController.class.php
dologin()
1
2
3
4
5
6
7
| $username=$_POST['username'];
if(preg_match('/^\d+$/', $username)){//手机号登录
$this->_do_mobile_login();
}else{
$this->_do_email_login(); // 用户名或者邮箱登录
}
|
$users_model=M('Users');
$where['mobile']=$_POST['username'];
$password=$_POST['password'];
$result = $users_model->where($where)->find();
ajaxlogin()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| function ajaxlogin(){
$username=$_POST['account'];
$password=$_POST['password'];
$users_model=M('Users');
if(preg_match('/^\d+$/', $username)){
$where['mobile']=$username;
}else{
if(strpos($username,"@")>0){
$where['user_email']=$username;
}else{
$where['user_login']=$username;
}
}
$result = $users_model->where($where)->find();
|
tp3.2.3 where处存在缺陷如果没有经过`I`函数接受数据则会导致SQL注入
字符拼接sql注入
\application\Admin\Controller\AdController.class.php (后台)
function edit(){
$id=I("get.id");
$ad=$this->ad_model->where("ad_id=$id")->find();
$this->assign($ad);
$this->display();
}
1
| http://www.xxx.com/index.php/admin/Ad/edit?id=hello,word
|
function toggle(){
$ceshi = $_POST['ids'];
if(isset($_POST['ids']) && $_GET["display"]){
$c = $_POST['ids'];
$ids = implode(",", $_POST['ids']);
$data['status']=1;
if ($this->ad_model->where("ad_id in ($ids)")->save($data)!==false) {
$this->success("显示成功!");
} else {
$this->error("显示失败!");
}
}
if(isset($_POST['ids']) && $_GET["hide"]){
$ids = implode(",", $_POST['ids']);
$data['status']=0;
if ($this->ad_model->where("ad_id in ($ids)")->save($data)!==false) {
$this->success("隐藏成功!");
} else {
$this->error("隐藏失败!");
}
}
}
1
2
3
4
| http://www.xxx.com/index.php/admin/Ad/toggle?display=Hello,Word
ids[]=Hello,World!&
UPDATE `edu_ad` SET `status`='1' WHERE ( ad_id in (Hello,World!) )
|
\application\Admin\Controller\NavController.class.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
| public function add() {
$cid=$_REQUEST['cid'];
$result = $this->nav_model->where("cid=$cid")->order(array("listorder" => "ASC"))->select();
import("Tree");
$tree = new \Tree();
$tree->icon = array(' │ ', ' ├─ ', ' └─ ');
$tree->nbsp = ' ';
$parentid=I("get.parentid");
foreach ($result as $r) {
$r['str_manage'] = '<a href="' . U("Menu/add", array("parentid" => $r['id'], "menuid" => I("get.menuid"))) . '">添加子菜单</a> | <a href="' . U("Menu/edit", array("id" => $r['id'], "menuid" => I("get.menuid"))) . '">修改</a> | <a class="js-ajax-delete" href="' . U("Menu/delete", array("id" => $r['id'], "menuid" => I("get.menuid"))) . '">删除</a> ';
$r['status'] = $r['status'] ? "显示" : "隐藏";
$r['selected'] = $r['id']==$parentid?"selected":"";
$array[] = $r;
}
$tree->init($array);
$str = "<tr>
<td><input name='listorders[\$id]' type='text' size='3' value='\$listorder' class='input'></td>
<td>\$id</td>
<td >\$spacer\$label</td>
<td>\$status</td>
<td>\$str_manage</td>
</tr>";
$str="<option value='\$id' \$selected>\$spacer\$label</option>";
$nav_trees = $tree->get_tree(0, $str);
$this->assign("nav_trees", $nav_trees);
$cats=$this->navcat_model->select();
$this->assign("navcats",$cats);
$this->assign('navs', $this->_select());
$this->assign("navcid",$cid);
$this->display();
}
|
1
2
3
| http://www.xxx.com/index.php/admin/Nav/add?cid=hello,word
SELECT * FROM `edu_nav` WHERE ( cid=hello,word ) ORDER BY `listorder` ASC
|
