### 漏洞代码分析 /category.php ``` .. $filter_attr_str = isset($_REQUEST['filter_attr']) ? trim($_REQUEST['filter_attr']) : '0'; //变量 $filter_attr_str 是以“.” 分开的数组 $filter_attr = empty($filter_attr_str) ? '' : explode('.', trim($filter_attr_str)); .. /* 扩展商品查询条件 */ if (!empty($filter_attr)) { $ext_sql = "SELECT DISTINCT(b.goods_id) FROM " . $ecs->table('goods_attr') . " AS a, " . $ecs->table('goods_attr') . " AS b " . "WHERE "; $ext_group_goods = array(); foreach ($filter_attr AS $k => $v) // 查出符合所有筛选属性条件的商品id */ { if ($v != 0) { //$v 没有作任何处理就加入了SQL查询,造成SQL注入 $sql = $ext_sql . "b.attr_value = a.attr_value AND b.attr_id = " . $cat_filter_attr[$k] ." AND a.goods_attr_id = " . $v; .. ``` ### 防御方法 /category.php ``` .. /*对用户输入的$_REQUEST['filter_attr']进行转义 */ $filter_attr_str = isset($_REQUEST['filter_attr']) ? htmlspecialchars(trim($_REQUEST['filter_attr'])) : '0'; /* */ $filter_attr_str = trim(urldecode($filter_attr_str)); /* 敏感关键字过滤 */ $filter_attr_str =...
### 漏洞代码分析 /category.php ``` .. $filter_attr_str = isset($_REQUEST['filter_attr']) ? trim($_REQUEST['filter_attr']) : '0'; //变量 $filter_attr_str 是以“.” 分开的数组 $filter_attr = empty($filter_attr_str) ? '' : explode('.', trim($filter_attr_str)); .. /* 扩展商品查询条件 */ if (!empty($filter_attr)) { $ext_sql = "SELECT DISTINCT(b.goods_id) FROM " . $ecs->table('goods_attr') . " AS a, " . $ecs->table('goods_attr') . " AS b " . "WHERE "; $ext_group_goods = array(); foreach ($filter_attr AS $k => $v) // 查出符合所有筛选属性条件的商品id */ { if ($v != 0) { //$v 没有作任何处理就加入了SQL查询,造成SQL注入 $sql = $ext_sql . "b.attr_value = a.attr_value AND b.attr_id = " . $cat_filter_attr[$k] ." AND a.goods_attr_id = " . $v; .. ``` ### 防御方法 /category.php ``` .. /*对用户输入的$_REQUEST['filter_attr']进行转义 */ $filter_attr_str = isset($_REQUEST['filter_attr']) ? htmlspecialchars(trim($_REQUEST['filter_attr'])) : '0'; /* */ $filter_attr_str = trim(urldecode($filter_attr_str)); /* 敏感关键字过滤 */ $filter_attr_str = preg_match('/^[\d\.]+$/',$filter_attr_str) ? $filter_attr_str : ''; /**/ $filter_attr = empty($filter_attr_str) ? '' : explode('.', $filter_attr_str); .. foreach ($filter_attr AS $k => $v) // 查出符合所有筛选属性条件的商品id */ { /* is_numeric($v) */ if (is_numeric($v) && $v !=0 ) { .. ```
