Shulou(Shulou.com)06/03 Report--

This article introduces the knowledge of "how to understand a SQL injection vulnerability for an early version of the ThinkPHP framework". Many people will encounter such a dilemma in the operation of actual cases, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

Use query condition preprocessing to prevent SQL injection, and yes, it works when you use the following code:

$Model- > where ("id=%d and username='%s' and xx='%f'", array ($id,$username,$xx)-> select ()

Or

Model- > where ("id=%d and username='%s' and xx='%f'", $id,$username,$xx)-> select ()

However, there is no effect of "preventing SQL injection" when you use the following code (but the official documentation says it prevents SQL injection):

$model- > query ('select * from user where id=%d and status=%s',$id,$status)

Or

$model- > query ('select * from user where id=%d and status=%s',array ($id,$status))

Cause analysis:

The parseSql function in the ThinkPHP/Lib/Core/Model.class.php file does not implement SQL filtering.

Its original function is:

Protected function parseSql ($sql,$parse) {/ / parsing expression if (true = $parse) {$options = $this- > _ parseOptions (); $sql = $this- > db- > parseSql ($sql,$options);} elseif (is_array ($parse)) {/ / SQL preprocessing $sql = vsprintf ($sql,$parse);} else {$sql = strtr ($sql,array ('_ TABLE__'= > $this- > getTableName (),'_ PREFIX__'= > C ('DB_PREFIX') } $this- > db- > setModel ($this- > name); return $sql;}

Authentication vulnerabilities (for example):

Request address:

Http://localhost/Main?id=boo" or 1 = "1

Or

Http://localhost/Main?id=boo%22%20or%201=%221

Action Code:

$model=M ('Peipeidui'); $masked models-> query (' select * from peipeidui where name='% s', $_ GET ['id']); dump ($m); exit

Or:

$model=M ('Peipeidui'); $masked models-> query (' select * from peipeidui where name='% s', array ($_ GET ['id'])); dump ($m); exit

Results:

Table peipeidui all data is listed, SQL injection statement takes effect.

Solution:

You can modify the parseSql function to:

Protected function parseSql ($sql,$parse) {/ / parsing expression if (true = $parse) {$options = $this- > _ parseOptions (); $sql = $this- > db- > parseSql ($sql,$options);} elseif (is_array ($parse)) {/ / SQL preprocessing $parse = array_map (array ($this- > db,'escapeString'), $parse); / / the new code for this behavior is $sql = vsprintf ($sql,$parse) } else {$sql = strtr ($sql,array ('_ TABLE__'= > $this- > getTableName (),'_ PREFIX__'= > C ('DB_PREFIX'));} $this- > db- > setModel ($this- > name); return $sql;} "how to understand a SQL injection vulnerability in an earlier version of the ThinkPHP framework" ends here, thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.