Menzhi007
I am very grateful for the clear explanation of the mysql comparison operation.
Http://www.bkjia.com/database/201003/45294.html
When the where condition is executed in mysql, 0 can be used as a wildcard to query the indexed data.
Mysql> select username from users where username = 0 limit 1;
+ ---------- +
| Username |
+ ---------- +
| Admin |
+ ---------- +
1 row in set
In the morning, I performed oracle and mssql tests on my students.
Inadequate. For example, we should compare strings with numbers. Let's test it by yourself.
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0-Prod
MSSQL
In the end, we can only test successfully in mysql.
If you encounter problems in the instance program, When you directly access the Controller method, especially if the user name and password are not submitted, "0" will be submitted by default, which will directly cause bypass verification.
Code in users. php Controllers
/* Post-fix homepage logon box */
Function ajax_login_back (){
If ($ this-> input-> post (username )! = "" & $ This-> input-> post (password )! = "") {// Add this sentence to determine whether it is null
Echo $ this-> users_model-> verify_user ($ this-> input-> post (username), $ this-> input-> post (password ));
} Else {
Redirect (articles, refresh );
}
}
// Vulnerability code
Function ajax_login (){
Echo $ this-> users_model-> verify_user ($ this-> input-> post (username), $ this-> input-> post (password); // vulnerability code
}
Code in users_model.php Models
Public function verify_user ($ username, $ password ){
$ Query = $ this-> db-> where (username, $ username );//
// $ Query = $ this-> db-> where (password is not null );
$ Query = $ this-> db-> where (password, $ password );
$ Query = $ this-> db-> get (users, 1 );
If ($ query-> num_rows () = 1 ){
$ Row = $ query-> row_array ();
$ Data = array (
Uid => $ row [uid],
Username => $ row [username],
Level => $ row [level],
Logged_in => TRUE
);
$ This-> session-> set_userdata ($ data );
Return 1;
} Else {
Return NULL;
}
}
Code in front-end index. php Views
<Script type = "text/javascript">
$. Ui. dialog. defaults. bgiframe = true;
// $. Post () method:
$ (Document). ready (function (){
$ (# Loginsubmit). click (function (){
$. Post (
<? Php echo site_url (users/ajax_login)?>,
{
Username: $ (# username). val (),
Password: $ (# password). val ()
},
Function (data ){
If (data = 1 ){
Location. reload ();
} Else {
$ (# Dialog). dialog ({
AutoOpen: true,
Width: 300,
Buttons :{
"OK": function (){
$ (This). dialog ("close ");
Location. reload ();
},
"Cancel": function (){
$ (This). dialog ("close ");
Location. reload ();
}
}
});
}
}
);
});
});
</Script>
Let's take a look at how mysql_driver.php is defined.
Function _ execute ($ SQL)
{// Echo $ SQL; test the output SQL statement
$ SQL = $ this-> _ prep_query ($ SQL );
Return @ mysql_query ($ SQL, $ this-> conn_id );
}
The following statement is executed by default.
It is obvious that, directly executed, framework-based programs are prone to such risks.
WoyiguiAn error will be reported if you do not add quotation marks. This should be a reasonable explanation.
Finally, I would like to thank you again.