PHP careful urldecode raised SQL injection vulnerabilities _php tips

Source: Internet
Author: User
Tags sql injection
Ihipop School of Discuz X1.5 Forum was black, where a quarrel for an afternoon. Google "discuz! x1-1.5 notify_credit.php blind SQL injection exploit ", you know.

Discuz is a very popular forum system in China, it should be a lot of black sites. But I'm not interested in invading other people's websites, and I despise the so-called "hackers" that code does not write that can only be attacked with tools that others emit.


A cursory look at the code, this SQL injection vulnerability is caused by the UrlDecode function. In the PHP manual, there is a warning under the UrlDecode function:

The Superglobals $_get and $_request are already decoded. The Using UrlDecode () on a element in $_get or $_request could have unexpected and dangerous.

And Discuz's developers (presumably novice) add a urldecode to the lily:
Copy Code code as follows:

foreach ($_post as $k => $v) {
$value = UrlDecode ($v);
$this->setparameter ($k, $value);
}

Single quotes are urlencode two times after the%2527, and then post,php the internal in the generation of global variable $_post will first UrlDecode, get%27, and then PHP will check the Magic quotes settings, but whether or not to open Magic Quotes,%27 will not be addslashes, because there is no single quotation mark at all. But then if you add urldecode,%27 to the PHP code, it becomes a single quote, and then ... You know.

In my beginner PHP, look at the school library of a rotten book, which did not write PHP in the process of processing the form will automatically urldecode, so they use the UrlDecode function to decode (vaguely remember the book seems to be so written, really fraught AH).

To sum up, is: 1, the choice of a good book is very important; 2, use the UrlDecode function carefully. 3, notice the warning in the PHP manual.
Original from http://demon.tw/programming/php-urldecode-sql-injection.html

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.