PHP built-in function intval ()

Source: Internet
Author: User
Tags function prototype numeric sql injection
I. Description of

The Intval function has an attribute: "Until the number or sign symbol is started to do the conversion, and then encountered Non-numeric or end of the string (/0) End Conversion", in some applications due to the Intval function This feature is not known enough, the use of errors leads to bypass some security judgments lead to security vulnerabilities.

Second, analysis

Php_function (intval)

{

Zval **num, **a Rg_base;

Int base;

Switch (Zend_num_args ()) {

Case 1:

If (ZEND_GET_PARAMETERS_EX (1, &num) = = failure) {

Wron G_param_count;

}

Base = ten;

Break;

Case 2:

If (ZEND_GET_PARAMETERS_EX (2, &num, &arg_base) = = failure) {

Wrong_param_count;

}

Convert_to_long_ex (arg_base);

Base = z_lval_pp (Arg_base);

Break;

Default:

Wrong_param_count;

}

Retval_zval (*num, 1, 0);

Convert_to_long_base (Return_value, base);

}

Zend/zend_operators.c->>convert_to_long_base ()

...

Case is_string:

Strval = z_strval_p (OP);

Z_lval_p (OP) = Strtol (Strval, NULL, base);

Str_free (strval);

Break;

When the Intval function accepts a string parameter that calls Convert_to_long_base () processing, the next call is Z_lval_p (OP) = Strtol (Strval, NULL, Base), and the parameters are processed by the Strtol function.

The function prototype is as follows:

Long int strtol (const char *nptr,char **endptr,int base);

This function converts the parameter nptr string based on the parameter base to the number of growth integers, the parameters base range from 2 to 36, or 0. Parameter base represents the method used, such as the base value of 10 is 10, if the base value of 16 is 16.

The process is:

Strtol () scans the parameter nptr string and skips the preceding space character until it encounters a number or positive sign before starting the conversion, and then returns to the end of a non-numeric or string (/0) ending conversion.

Then when the intval is used in the judgment of if, it will cause this judgment to be meaningful, and thus lead to security vulnerabilities.

Third, test code

intval.php

$var = "20070601";

if (Intval ($var))

echo "It ' safe";

echo ' $var = '. $var;

echo "

";

$var 1= "1 Union Select 1,1,1 from admin";

if (Intval ($var 1))

echo "It ' s safe too";

Echo ' $var 1= '. $var 1;

Iv. Practical Application

WordPress <= 2.0.6 wp-trackback.php zend_hash_del_key_or_index/sql injection Exploit

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.