to hflsj(红枫):数据更新时并不需要重写相关页面,其实所有的页面都是动态的,很多看起来是.htm的页面是假的.呵呵,有兴趣的可以加我讨论MSN:[email protected]
http://www.1diantong.com/category/1241/1.1,124'1,001'.htm怎么会有这个啊?测试用的吧。 select a.good_id from goodcats a,cattree b,goodlists c where a.cate_id=b.cate_chld and b.cate_prnt=124\'1 and a.good_id=c.good_id and c.list_stimeunix_timestamp() group by a.good_id limit 0,10 [nativecode=1064 ** You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near '\'1 and a.good_id=c.good_id and c.list_stime
to jxyuhua(一塌糊涂) :呵呵,不错啊,有人看出来了.
注册的时候过滤非常的不完整,搂主小心为妙~~~!可以使用 and 1=1 或者 '''''作为用户名进行注册~~~!这么低级的错误都要犯~~!全部生成静态页面并不代表没有注入,任何表单都有可能给注入提供机会~~!
register_globals = off
magic_quotes_gpc = off
上面两个都是OFF状态的,我想基本上没有注入攻击的危险。
select a.good_id from goodcats a,cattree b,goodlists c where a.cate_id=b.cate_chld and b.cate_prnt=124\'1 and a.good_id=c.good_id and c.list_stimeunix_timestamp() group by a.good_id limit 0,10 [nativecode=1064 ** You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near '\'1 and a.good_id=c.good_id and c.list_stime
HTTP/1.1 400 Bad Request
Date: Thu, 05 May 2005 18:23:33 GMT
Server: Apache/1.3.27 (Unix) PHP/4.3.1
Connection: close
Content-Type: text/html; charset=iso-8859-1