从日期字符串可能进行注入选择查询 [英] Possible injection from date string Select query

问题描述

我有一个问题，这有点奇怪.我的页面包含一个html链接，该链接刷新页面并调用PHP变量.此变量在URL字符串后附加一个日期字符串，该字符串将输入到MySQL查询中，该MySQL查询将获取与该日期匹配的记录.我认为这是造成注入的原因，因为有时它会从数据库中删除用户！

我知道使用超链接中的'#'可能存在安全问题，但我想知道发生了什么事情.同样，这也会对不同的浏览器产生不同的影响，因为它们使用javascript的方式不同.被删除的用户似乎仅在某些人的计算机上发生.

PHP代码从现在开始计算三天的时间戳，然后将其放入SQL格式:

$ts_threeDays   = mktime(1,0,0,date('m'), date('d')+3-date('w'), date('y'));     
$threeDaysAhead = date('y-m-d', $ts_second_day);    

然后，脚本在页面上的超链接传递的url字符串中侦听"day"变量:

$date = mysql_real_escape_string($_GET['day']);

JavaScript和超链接是:

<a href='#' onClick="document.location.href='planner.php?day=<?php echo $threeDaysAhead; ?>'"> 3 Days Later</a>

MySQL查询更大，但它从用户操作中获取的唯一输入就是上述日期字符串.查询基本上看起来像这样(使用另一个select语句访问users表):

SELECT planner.details FROM planner 
WHERE  planner.date = '$date' AND users.`user_id` = '$id' // Logged in Id superglobal

如果有人可以帮助我并解释我的问题，我将不胜感激. 非常感谢

解决方案

在通过mysql_real_escape_string传递$date时，必须怀疑是$id还是我们看不到的东西.

SELECT语句不会从数据库中删除内容.您的PHP文件中还有什么负责删除用户，还有if/else逻辑损坏了，这些逻辑最终导致在确实不应该删除用户的情况下通过一个函数删除用户吗?

I have a problem wich is a little strange. My page contains a html link which refreshes the page and calls a PHP variable. This variable appends a date string to the url string which is fed into a MySQL query, which grabs records matching this date. I think this is causing an injection as it sometimes deletes the user from the database!

I know there may be security issues using the '#' in the hyperlink, but I'd like to know whats going on. Also would this have different effects on different browsers seeing as how it uses javascript. The users being deleted seems to happen only on some peoples computers.

The PHP code calculates a timestamp three days from now and then puts it into a SQL format:

$ts_threeDays   = mktime(1,0,0,date('m'), date('d')+3-date('w'), date('y'));     
$threeDaysAhead = date('y-m-d', $ts_second_day);    

The script then listens for the 'day' variable in the url string passed by the hyperlink on the page:

$date = mysql_real_escape_string($_GET['day']);

The JavaScript and hyperlink is:

<a href='#' onClick="document.location.href='planner.php?day=<?php echo $threeDaysAhead; ?>'"> 3 Days Later</a>

The MySQL query is bigger but the only input it takes from user action is the above date string. Query basically looks like this (uses another select statement to access users table):

SELECT planner.details FROM planner 
WHERE  planner.date = '$date' AND users.`user_id` = '$id' // Logged in Id superglobal

If anyone can help me out and explain my problem I will be most grateful. Many thanks

解决方案

As you're passing $date through mysql_real_escape_string, suspicion has to fall on either $id, or something we can't see.

A SELECT statement isn't going to delete stuff from your db. What else do you have in your PHP file that's responsible for deleting users, and could you have some broken if/else logic that ends up passing through a function to delete users when they really shouldn't be?

这篇关于从日期字符串可能进行注入选择查询的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！