The website has a problem and a vulnerability exists. come here today and ask the csdn team to help solve the problem.

Website problems, there are loopholes, today come here to ask csdn brothers help me solve I made a health care products station http://www.bjp51.net these two days a little problem, with 360 sweep, high risk, only 49 points, the report is as follows:



The first is a very serious problem. I want to solve the first problem today.
Let's take a look at the comments in Section 360.


I don't know how to change it. I hope you can help solve it.

Reply to discussion (solution)

This is the source code of the contrast. php file.

 Alert ('Operation failed! Select at least one item. '); Window. opener = null; window. open ('', '_ self'); window. close () script "; exit;} $ tdwidth = floor (90/$ I); // round, 10% on the left $ SQL = "select * from zzcms_main where id in ($ id)"; $ rs = mysql_query ($ SQL);?>
 
 
  
  
  
 
   
 
    
[Product image]
  
    
"Target =" _ blank "> alt =" "Border =" 0 ">
  
   
 
   
 
    
[Product name]
  
    
 
  
   
 
   
 
    
[Main functions]
  
    
 
  
   
 
   
 
    
[Specification packaging]
  
    
 
  
   
 
   
 
    
China Merchants region
  
    
 
  
   
 
   
 
    
Product Description
  
    
 
  
   
 
   
 
    
Available support
  
    
 
  
   
 
   
 
    
Requirements for agents
  
    
 
  
   
 
   
 
    
Remarks
  
    
 
  
   
 
  
 
 
 
 
 

$ Id = '';
If (! Empty ($ _ POST ['id']) {
For ($ I = 0; $ I $ Id = $ id. ($ _ POST ['id'] [$ I]. ',');
}
$ Id = substr ($ id, 0, strlen ($ id)-1); // remove the last ","
}
$ SQL = "select * from zzcms_main where id in ($ id )"

He thinks that you use the imported data in the SQL command without checking.

$ Id = '';
If (! Empty ($ _ POST ['id']) {
For ($ I = 0; $ I $ Id = $ id. ($ _ POST ['id'] [$ I]. ',');
}
$ Id = substr ($ id, 0, strlen ($ id)-1); // remove the last ","
}
$ SQL = "select * from zzcms_main where id in ($ id )"

He thinks that you use the imported data in the SQL command without checking.

My name is php. how can I verify it? how can I check it?

Also, if I don't check it, is it easy to be injected?

 $id = $id . (intval($_POST['id'][$i]) . ',');

The principle of SQL injection is to inject data from the address bar or form.


If you GET $ _ GET ["a"] from the address bar and use it directly in the program without filtering, it will pose a threat. For example:

If $ _ GET ["a"] = 1; then:
$ SQL = "SELECT * from aa where id = $ _ GET [" a "]"; that is, $ SQL = "SELECT * FROM AA WHERE id = 1 ";
However, if someone else modifies the value of $ _ GET ["a"] to 1 or (and) XXX, the query statement becomes

$ SQL = "SELECT * FROM AA WHERE id = 1 or (and) xxx ";


That's why I got it.

Therefore, the parameters in the address bar and form must be formatted and filtered out to specify the type, length, and characters ......

$ SQL = "select * from zzcms_main where id in ($ id )";
$ Id? Yes? OK ??, Use ?? What? Yes ,? But it was injected.

Because? Id can only be? So you can use intval? Cheng? Word, if not? Word ??? 0 ,?? The injection fails.

Security level: High risk
The security level beat 46% of websites nationwide!

$ Id = $ id. (intval ($ _ POST ['id'] [$ I]). ',');

The input data replaces the single quotes with two consecutive single quotes. the SQL statement uses the input parameters with single quotes.
$ Id = str_replace ("'", "'' ", $ _ POST ['id']);
$ SQL = "select * from tb_user wher id = '$ ID '";
In this way, we are not afraid of injection.

Thank you for choosing $ id = $ id. ($ _ POST ['id'] [$ I]. ','); replace with $ id = $ id. (intval ($ _ POST ['id'] [$ I]). ','

That's right.

The above is not correct. I changed it to this.
If (! Empty ($ _ POST ['id']) {
For ($ I = 0; $ I // $ Id = $ id. ($ _ POST ['id'] [$ I]. ',');
$ Id = $ id. (intval ($ _ POST ['id'] [$ I]). ',');
}
$ Id = substr ($ id, 0, strlen ($ id)-1); // remove the last ","
}

Is that true?

if(!empty($_POST['id'])) {  $id = join(',', array_map('intval', $_POST['id']));}

You 'd better change $ id to another name.

if(!empty($_POST['id'])) {  $id = join(',', array_map('intval', $_POST['id']));}

You 'd better change $ id to another name.

I am not familiar with php, so I will use this code without looking for variables.
Thank you for your selfless spirit.
I found out that you are solving another problem for me. thank you again!