这是contrast.php的文件源码<body>
<?php
$id='';
if(!empty($_POST['id'])){
for($i=0; $i<count($_POST['id']);$i++){
$id=$id.($_POST['id'][$i].',');
}
$id=substr($id,0,strlen($id)-1);//去除最后面的","
}if ($id==''){
echo "<script lanage='javascript'>alert('操作失败!至少要选中一条信息。');window.opener=null;window.open('','_self');window.close()</script>";
exit;
} $tdwidth=floor(90/$i);//取整,左边占10%$sql="select * from zzcms_main where id in ($id)" ;
$rs=mysql_query($sql);
?><table width="100%" height="218" border="0" align="center" cellpadding="5" cellspacing="1" class="bgcolor3">
<tr>
<td width="10%" align="center" bgcolor="#FFFFFF">【产品图片】 </td>
<?php while ($row=mysql_fetch_array($rs)){?>
<td bgcolor="#FFFFFF" style="font-weight:bold" width="<?php echo $tdwidth ?>%"><a href="<?php echo $row["img"]?>" target="_blank"><img <?php echo getsmallimg($row["img"],"")?> alt="<?php echo $row["proname"]?>" border="0" ></a></td>
<?php
}
?>
</tr>
<tr class="bgcolor1">
<td width="100" align="center">【产品名称】 </td>
<?php
mysql_data_seek($rs,0);
while ($row=mysql_fetch_array($rs)){?>
<td style="font-weight:bold"><?php echo $row["proname"]?></td>
<?php
}
?>
</tr>
<tr>
<td width="100" align="center" bgcolor="#FFFFFF">【主要功能】</td>
<?php
mysql_data_seek($rs,0);
while ($row=mysql_fetch_array($rs)){?>
<td valign="top" bgcolor="#FFFFFF" ><?php echo $row["prouse"]?></td>
<?php
}
?>
</tr>
<tr class="bgcolor1">
<td width="100" align="center">【规格包装】</td>
<?php
mysql_data_seek($rs,0);
while ($row=mysql_fetch_array($rs)){?>
<td><?php echo $row["gg"]?></td>
<?php
}
?>
</tr>
<tr class="bgcolor1">
<td width="100" align="center"><strong>招商区域</strong></td>
<?php
mysql_data_seek($rs,0);
while ($row=mysql_fetch_array($rs)){?>
<td><?php echo $row["city"]?></td>
<?php
}
?>
</tr>
<tr>
<td width="100" align="center" bgcolor="#FFFFFF"><strong>产品说明</strong></td>
<?php
mysql_data_seek($rs,0);
while ($row=mysql_fetch_array($rs)){?>
<td valign="top" bgcolor="#FFFFFF"><?php echo nl2br($row["sm"])?></td>
<?php
}
?>
</tr>
<tr class="bgcolor1">
<td width="100" align="center"><strong>可提供的支持</strong></td>
<?php
mysql_data_seek($rs,0);
while ($row=mysql_fetch_array($rs)){?>
<td valign="top"><?php echo nl2br($row["zc"])?></td>
<?php
}
?>
</tr>
<tr>
<td width="100" align="center" bgcolor="#FFFFFF"><strong>对代理商的要求</strong></td>
<?php
mysql_data_seek($rs,0);
while ($row=mysql_fetch_array($rs)){?>
<td valign="top" bgcolor="#FFFFFF"><?php echo nl2br($row["yq"])?></td>
<?php
}
?>
</tr>
<tr class="bgcolor1">
<td width="100" align="center"><strong>备注</strong></td>
<?php
mysql_data_seek($rs,0);
while ($row=mysql_fetch_array($rs)){?>
<td><?php echo nl2br($row["other"])?></td>
<?php
}
?>
</tr>
</table><table width="100%" height="60" border="0" cellpadding="0" cellspacing="0">
<tr>
<td align="center"><input type="button" name="Submit" value="关闭本窗口" onClick="javascript:window.close()"></td>
</tr>
</table>
<?php
mysql_close($conn);
?>
</body>
<?php
$id='';
if(!empty($_POST['id'])){
for($i=0; $i<count($_POST['id']);$i++){
$id=$id.($_POST['id'][$i].',');
}
$id=substr($id,0,strlen($id)-1);//去除最后面的","
}if ($id==''){
echo "<script lanage='javascript'>alert('操作失败!至少要选中一条信息。');window.opener=null;window.open('','_self');window.close()</script>";
exit;
} $tdwidth=floor(90/$i);//取整,左边占10%$sql="select * from zzcms_main where id in ($id)" ;
$rs=mysql_query($sql);
?><table width="100%" height="218" border="0" align="center" cellpadding="5" cellspacing="1" class="bgcolor3">
<tr>
<td width="10%" align="center" bgcolor="#FFFFFF">【产品图片】 </td>
<?php while ($row=mysql_fetch_array($rs)){?>
<td bgcolor="#FFFFFF" style="font-weight:bold" width="<?php echo $tdwidth ?>%"><a href="<?php echo $row["img"]?>" target="_blank"><img <?php echo getsmallimg($row["img"],"")?> alt="<?php echo $row["proname"]?>" border="0" ></a></td>
<?php
}
?>
</tr>
<tr class="bgcolor1">
<td width="100" align="center">【产品名称】 </td>
<?php
mysql_data_seek($rs,0);
while ($row=mysql_fetch_array($rs)){?>
<td style="font-weight:bold"><?php echo $row["proname"]?></td>
<?php
}
?>
</tr>
<tr>
<td width="100" align="center" bgcolor="#FFFFFF">【主要功能】</td>
<?php
mysql_data_seek($rs,0);
while ($row=mysql_fetch_array($rs)){?>
<td valign="top" bgcolor="#FFFFFF" ><?php echo $row["prouse"]?></td>
<?php
}
?>
</tr>
<tr class="bgcolor1">
<td width="100" align="center">【规格包装】</td>
<?php
mysql_data_seek($rs,0);
while ($row=mysql_fetch_array($rs)){?>
<td><?php echo $row["gg"]?></td>
<?php
}
?>
</tr>
<tr class="bgcolor1">
<td width="100" align="center"><strong>招商区域</strong></td>
<?php
mysql_data_seek($rs,0);
while ($row=mysql_fetch_array($rs)){?>
<td><?php echo $row["city"]?></td>
<?php
}
?>
</tr>
<tr>
<td width="100" align="center" bgcolor="#FFFFFF"><strong>产品说明</strong></td>
<?php
mysql_data_seek($rs,0);
while ($row=mysql_fetch_array($rs)){?>
<td valign="top" bgcolor="#FFFFFF"><?php echo nl2br($row["sm"])?></td>
<?php
}
?>
</tr>
<tr class="bgcolor1">
<td width="100" align="center"><strong>可提供的支持</strong></td>
<?php
mysql_data_seek($rs,0);
while ($row=mysql_fetch_array($rs)){?>
<td valign="top"><?php echo nl2br($row["zc"])?></td>
<?php
}
?>
</tr>
<tr>
<td width="100" align="center" bgcolor="#FFFFFF"><strong>对代理商的要求</strong></td>
<?php
mysql_data_seek($rs,0);
while ($row=mysql_fetch_array($rs)){?>
<td valign="top" bgcolor="#FFFFFF"><?php echo nl2br($row["yq"])?></td>
<?php
}
?>
</tr>
<tr class="bgcolor1">
<td width="100" align="center"><strong>备注</strong></td>
<?php
mysql_data_seek($rs,0);
while ($row=mysql_fetch_array($rs)){?>
<td><?php echo nl2br($row["other"])?></td>
<?php
}
?>
</tr>
</table><table width="100%" height="60" border="0" cellpadding="0" cellspacing="0">
<tr>
<td align="center"><input type="button" name="Submit" value="关闭本窗口" onClick="javascript:window.close()"></td>
</tr>
</table>
<?php
mysql_close($conn);
?>
</body>
if(!empty($_POST['id'])){
for($i=0; $i<count($_POST['id']);$i++){
$id=$id.($_POST['id'][$i].',');
}
$id=substr($id,0,strlen($id)-1);//去除最后面的","
}
$sql="select * from zzcms_main where id in ($id)" 他认为你未经检查就在 sql 指令中使用了传入的数据
我是php小白,请问我应该怎么验证,怎么检查好呢?
如果你从地址栏得到一个$_GET["a"],不经过过滤就直接使用到程序中,就会造成威胁。比如:如果$_GET["a"]=1;那么:
$sql = "SELECT * FROM AA WHERE id =$_GET["a"]";就是$sql = "SELECT * FROM AA WHERE id =1";
但如果别人通过地址栏自行修改,把$_GET["a"]的值改为1 or (and) XXX各类代码,那这个查询语句就变成$sql = "SELECT * FROM AA WHERE id =1 or(and) xxx";
于是就中招了。所以地址栏和表单得到的参数,一定要格式化,过滤好,指定是什么类型,多长,限制哪些字符……
$id沒有進行過濾,用戶輸入什麼都可以,當然被注入了。因為id只能是數字,所以可以用intval轉成數字,如果非數字會轉為0,這樣就注入不到了。
$id = str_replace("'","''",$_POST['id']);
$sql = " select * from tb_user wher id='$id' ";
这样就不怕注入了。
if(!empty($_POST['id'])){
for($i=0; $i<count($_POST['id']);$i++){
//$id=$id.($_POST['id'][$i].',');
$id = $id.(intval($_POST['id'][$i]).',');
}
$id=substr($id,0,strlen($id)-1);//去除最后面的","
}这样是不是对了
$id = join(',', array_map('intval', $_POST['id']));
}
最好把 $id 换个名字
感谢版主无私的精神。
我才发现,另一个问题也是您在为我解决,再次感谢!