Website problem, there is a loophole, today came here to ask Csdn's brother to help solve

I made a health supplement station http://www.bjp51.net these two days a bit of a problem, with 3,601 sweep, high-risk, only 49 points, the report is as follows:



The first one is a very serious problem, and today I want to solve the first problem.
Look at the comments given in 360


I do not know how to change, I hope you help solve the next.

Reply to discussion (solution)

This is contrast.php's file source.

 
 
 
  
  
  
 
   
 
    
"Product Picture"
  
    
"target=" _blank "> alt="  "border=" 0 ">
  
   
 
   
 
    
"Product Name"
  
    
 
  
   
 
   
 
    
"Main Features"
  
    
 
  
   
 
   
 
    
"Specification Package"
  
    
 
  
   
 
   
 
    
Investment Area
  
    
 
  
   
 
   
 
    
Product Description
  
    
 
  
   
 
   
 
    
The support you can provide
  
    
 
  
   
 
   
 
    
Requirements for the agent
  
    
 
  
   
 
   
 
    
Note
  
    
 
  
   
 
  
 
 
 
 
 

$id = ";
if (!empty ($_post[' id ')) {
for ($i =0; $i
$id = $id. ($_post[' id '] [$i]. ', ');
}
$id =substr ($id, 0,strlen ($id)-1);//Remove the back of the ","
}
$sql = "SELECT * from Zzcms_main where ID in ($id)"

He thinks you're using incoming data in SQL instructions without checking.

$id = ";
if (!empty ($_post[' id ')) {
for ($i =0; $i
$id = $id. ($_post[' id '] [$i]. ', ');
}
$id =substr ($id, 0,strlen ($id)-1);//Remove the back of the ","
}
$sql = "SELECT * from Zzcms_main where ID in ($id)"

He thinks you're using incoming data in SQL instructions without checking.

I am php small white, how should I verify, how to check well?

And I don't check, is it easy to be injected?

$id = $id. (Intval ($_post[' id '] [$i]). ',');

The principle of SQL injection is to inject from the Address bar or form


If you get a $_get["a" from the address bar, it is a threat to use the program directly without filtering it. Like what:

If $_get["a"]=1; then:
$sql = "SELECT * from AA where ID =$_get[" a "]"; is $sql = "SELECT * from AA where id = 1";
But if other people through the address bar self-modification, the value of $_get["a"] to 1 or (and) xxx All kinds of code, then this query statement becomes

$sql = "SELECT * from AA WHERE ID =1 or (and) xxx";


So the middle of the recruit.

So the address bar and the form gets the parameters, must be formatted, filtered well, specify what type, how long, which characters are limited ...

$sql = "SELECT * from Zzcms_main where ID in ($id)";
What's the $id? What can I get into?

Because the ID can only be the word, so it is possible to use intval Word, if not the word??? 0,?? Will not be injected into the.

Security level: High risk
The security level defeated the National 46% website!

$id = $id. (Intval ($_post[' id '] [$i]).

The incoming data replaces the single quotation mark with two consecutive single quotes, and the SQL statement adds single quotation marks to the arguments that are passed in.
$id = Str_replace ("'", "'", $_post[' id '));
$sql = "SELECT * from Tb_user wher id= ' $id '";
This is not afraid of injecting.

Thank you for your answer I am currently $id $id=. ($_post[' id '] [$i]. ', '); Replace with $id = $id. (Intval ($_post[' id '] [$i]). ','

That's right.

It's not right, I changed it.
if (!empty ($_post[' id ')) {
for ($i =0; $i
$id = $id. ($_post[' id '] [$i]. ', ');
$id = $id. (Intval ($_post[' id '] [$i]).
}
$id =substr ($id, 0,strlen ($id)-1);//Remove the back of the ","
}

Isn't that right?

if (!empty ($_post[' id '))) {  $id = join (', ', Array_map (' intval ', $_post[' id ')));}

Better put $id in a different name.

if (!empty ($_post[' id '))) {  $id = join (', ', Array_map (' intval ', $_post[' id ')));}

Better put $id in a different name.

I am not familiar with PHP, I will use this code, do not look for variables
Thank the moderator selfless spirit.
I found that another problem is also you in the solution for me, thanks again!

