This article mainly introduces the SQL injection vulnerability and solutions caused by phpis_numberic functions. For more information, see
I. Introduction to is_numberic Functions
Some CMS programs in China have used is_numberic functions. Let's take a look at the structure of this function.
Bool is_numeric (mixed $ var)
Returns TRUE if var is a number or number string; otherwise, returns FALSE.
Ii. Function Security
Next, let's take an example to show whether the function is safe.
The Code is as follows:
$ S = is_numeric ($ _ GET ['s '])? $ _ GET ['s']: 0;
$ SQL = "insert into test (type) values ($ s);"; // It is values ($ s) Not values ('$ s ')
Mysql_query ($ SQL );
The above code snippet judges whether the parameter s is a number. If yes, it returns a number. If not, it returns 0 and then brings it to the database for query. (In this way, SQL statements cannot be constructed)
We Convert '1 or 1' to hexadecimal 0x31206f722031 as the value of s.
After the program runs, let's query the database, for example:
If you re-query the fields of this table, and do not filter the fields into another SQL statement, it will cause two injections.
Iii. Summary
Try not to use this function. If you want to use this function, we recommend that you use a standard SQL statement and add single quotation marks to the condition. In this way, the hexadecimal 0x31206f722031 will be displayed in the database. Instead of 1 or 1.
