安全級别中 源碼
<?php
if( isset( $_POST[ 'Submit' ] ) ) {
// Get input
$id = $_POST[ 'id' ];
$id = mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $id);
$query = "SELECT first_name, last_name FROM users WHERE user_id = $id;";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query) or die( '<pre>' . mysqli_error($GLOBALS["___mysqli_ston"]) . '</pre>' );
// Get results
while( $row = mysqli_fetch_assoc( $result ) ) {
// Display values
$first = $row["first_name"];
$last = $row["last_name"];
// Feedback for end user
echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>";
}
}
// This is used later on in the index.php page
// Setting it here so we can close the database connection in here like in the rest of the source scripts
$query = "SELECT COUNT(*) FROM users;";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
$number_of_rows = mysqli_fetch_row( $result )[0];
mysqli_close($GLOBALS["___mysqli_ston"]);
?> 其中mysql_real_escape_string函數是實作轉義 SQL 語句字元串中的特殊字元,如輸入單引号 ’ 則處理時會在其前面加上右斜杠 \ 來進行轉義,如果語句錯誤則輸出相應的錯誤資訊。其中受影響的字元如下:
\x00
\n
\r
\
'
"
\x1a 雖然在代碼中通過mysql_real_escape_string函數對一些敏感字元進行了相應的過濾,但是在SELECT語句中變量 id的值的擷取并沒有通過外加單引号或者雙引号來實作,即那層過濾也形同虛設,隻需在輸入中連需要閉合用的單引号等都不需要添加了,直接輸入相應的語句即可:
例子中payload為:
1 union select table_name,table_schema from information_schema.tables ![資料遷移方法資料遷移原則資料遷移之雙寫方案資料遷移之級聯同步方案[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)