PHP??????

admin

???php?????? ??sql????

php?????? ??sql???? ?SQL???? ??????????? GET ?????????????????????????????????????????????????????????????????????????????????

?? 1?????????????

?? Web ?????????????????????????????????(outside data) ????????? PHP ?????????????????????????????????(?? GET ????? POST??????????????? cookie)????????????? ?????????????????????????? PHP ????? ?? 1. ???????

$myUsername = �tmyer�;

$arrayUsers = array(�tmyer�, �tom�, �tommy�);

define(�GREETING�, �hello there� . $myUsername);

?>

?????????????????

?? 2. ??????????

$myUsername = $_POST[�username�]; //tainted!

$arrayUsers = array($myUsername, �tom�, �tommy�); //tainted!

define(�GREETING�, �hello there� . $myUsername); //tainted!

?>

? ??????? $myUsername ??????????????? POST??????????????????????????????????????????????????�??????????? A-Z ????(Javascr?pt)???????????????�???????????????????????????????????????? ????????????????????????????

??????????? $_POST[�username�] ??????????????????? $myUsername ???????(?????????)???????????

????????????????????????????????????????????????????????????????????????????????????

?? 3. ?????????

$myUsername = cleanInput($_POST[�username�]); //clean!

$arrayUsers = array($myUsername, �tom�, �tommy�); //clean!

define(�GREETING�, �hello there� . $myUsername); //clean!

function cleanInput($input){

$clean = strtolower($input);

$clean = preg_replace(�/[^a-z]/�, ��, $clean);

$clean = substr($clean,0,12);

return $clean;

}

?>

?? 2?????????????? PHP ??

????????????????????????????? PHP ????????????

register_globals?????? register_globals????????????????? $variable ?

???? GET ? POST ?????????????PHP ??????????????????????????? POST ???????? $_POST[�variable�]???????????????? cookie???? GET ???

?? 3???????????????

???????????????????????????????????????????????????????????????????????????????

??????????????????

?? 4. ?????????

//obfuscated code

$input = (isset($_POST[�username�]) ? $_POST[�username�]:�);

//unobfuscated code

$input = �;

if (isset($_POST[�username�])){

$input = $_POST[�username�];

}else{

$input = �;

}

?>

??????????????????? $input ??????????????????????? ?? 4?�????� ?????

??????????????????????????? PHP ?????????????????? PHP regex ??? GET ??????????????????? SQL ???????????? ?????????????????????????????

????????????????????????SQL ?????

??SQL????

?SQL???? ??????????? GET ?????????????????????????????????????????????????????????????????????????????????

?? 5. ???????

Username

Password

????????????????????????????? verify.php ???????????PHP ?????????????????

?? 6. ???? PHP ??????

$okay = 0;

$username = $_POST[�user�];

$pw = $_POST[�pw�];

$sql = �select count(*) as ctr from users where username=��.$username.�� and password=��. $pw.�� limit 1?;

$result = mysql_query($sql);

while ($data = mysql_fetch_object($result)){

if ($data->ctr == 1){

//they�re okay to enter the application!

$okay = 1;

}

}

if ($okay){

$_SESSION[�loginokay�] = true;

header(�index.php�);

}else{

header(�login.php�);

}

?>

????????????????????(????)? PHP/MySQL ?????????????????????? �????????�????????????????????????????????????????????????? SQL ?????

????????? foo ???????? � or �1?=�1 ???????????????????? PHP????????? MySQL?

$sql = �select count(*) as ctr from users where username=�foo� and password=� or �1?=�1? limit 1?;

?>

??????????? 1??? PHP ????????????????????????? SQL??????????????

???PHP Filter ??

PHP Filter ??

PHP Filter ??

PHP ????????????????????????????????

??

filter ??? PHP ?????????????????????

PHP Filter ??

PHP???????????? PHP ???

???PHP????

PHP??????

?????(important) addcslashes � ?C?????????????????? addslashes -- ??????????

?bin2hex -- ??????????????? chop -- rtrim() ?????

??chr -- ?????? ascii ??????????? chunk_split -- ????????? convert_cyr_string -- ?????? Cyrillic ???????? convert_uudecode -- Decode a uuencoded string convert_uuencode -- Uuencode a string count_chars -- ???????????? crc32 -- ???????? crc32 ??? crypt � ?????DES????

?????echo � ????????????

?????explode -- ??????????????? fprintf � ??????????? get_html_translation_table -- Returns the translation table used by htmlspecialchars() and htmlentities() hebrev -- Convert logical Hebrew text to visual text hebrevc -- Convert logical Hebrew text to visual text with newline conversion

???html_entity_decode � ????HTML?????????? ???htmlentities � ?????????HTML??

???htmlspecialchars_decode -- ????HTML?????????? ???htmlspecialchars -- ?????????HTML?? ?????implode � ?????????????????? join -- implode()????? levenshtein -- Calculate Levenshtein distance between two strings localeconv -- Get numeric formatting information

?????ltrim -- ????????????(????????) md5_file � ?????????MD5??

?????md5 -- ??????????MD5?? metaphone -- Calculate the metaphone key of a string money_format � ?????????????????nl_langinfo -- Query language and locale information nl2br -- ???????HTML????? number_format -- Format a number with grouped thousands ??ord � ???????ASCII?

parse_str -- ???????

????print � ???????

????printf � ?????????? quoted_printable_decode -- Convert a quoted-printable string to an 8 bit string quotemeta -- Quote meta characters

?????rtrim -- ????????????(????????) setlocale -- Set locale information sha1_file � ??????SHA1????(??) sha1 -- ???????SHA1????(??) similar_text -- ????????????? soundex --????????soundex key sprintf � ???????????? sscanf -- Parses input from a string according to a format str_ireplace -- Case-insensitive version of str_replace().

str_rot13 -- Perform the rot13 transform on a string str_shuffle -- Randomly shuffles a string

?????str_split -- ?????????????

???str_word_count -- ?????????????

strcasecmp -- Binary safe case-insensitive string comparison strchr -- strstr() ???

strcmp � ?????(????????)

strcoll -- Locale based string comparison strcspn -- Find length of initial segment not matching mask ?????strip_tags � ????????HTML?PHP???? stripcslashes -- ?????C???????????

?????stripos -- Find position of first occurrence of a

case-insensitive string????????????????(?????)???????? stripslashes -- ??????addslashes()???????

stristr -- Case-insensitive strstr()

?????strlen �???????? strnatcasecmp -- Case insensitive string comparisons using a "natural order" algorithm strnatcmp -- String comparisons using a "natural order" algorithm ????strncasecmp -- ?????????????

strncmp -- Binary safe string comparison of the first n characters strpbrk -- Search a string for any of a set of characters

????strpos -- ??????????????????????

?????strrchr � ?????????????????????????????

???strrev � ????????

?????strripos -- ???????????????????(??????)?

?????strrpos -- ???????????????????(?????)? strspn -- Find length of initial segment matching mask

?????strstr � ???????????????????????????(?????)? strtok -- Tokenize string

???strtolower �?????????????

???strtoupper � ????????????? strtr -- Translate certain characters substr_compare -- Binary safe optionally case insensitive comparison of 2 strings from an offset, up to length characters

???substr_count �?????????(?????) substr_replace � ????

?????substr � ?????????

?????trim � ????????????(??????)

???ucfirst � ??????????????

???ucwords -- ??????????????????? vfprintf -- Write a formatted string to a stream vprintf � ???????????? vsprintf � ????????????

???wordwrap -- ???????????

???

????(important) array_change_key_case -- ????????????????? array_chunk -- ?????????? array_combine -- ??????????????????????????????? array_count_values -- ?????????????? array_diff_assoc -- ???????????? array_diff_key -- ????????????? array_diff_uassoc -- ??????????????????????? array_diff_ukey -- ????????????????? array_diff -- ??????? array_fill -- ????????? array_filter -- ????????????? array_flip -- ?????????

array_intersect_assoc -- ???????????? array_intersect_key -- ????????????? array_intersect_uassoc -- ?????????????????????? array_intersect_ukey -- ????????????????? array_intersect -- ??????? array_key_exists -- ?????????????????? array_keys -- ?????????? array_map -- ???????????????? array_merge_recursive -- ????????????

?????array_merge -- ????????? array_multisort -- ?????????????? array_pad -- ????????????

?????array_pop -- ??????????????? array_product -- ???????????

?????array_push -- ??????????????????? ???array_rand -- ??????????????? array_reduce -- ??????????????????

???array_reverse -- ?????????????

?????array_search -- ??????????????????????? array_shift -- ???????????? array_slice -- ???????? array_splice -- ?????????????????

???array_sum -- ?????????? array_udiff_assoc -- ?????????????????????? array_udiff_uassoc -- ????????????????????????? array_udiff -- ????????????????? array_uintersect_assoc -- ?????????????????????? array_uintersect_uassoc -- ????????????????????????? array_uintersect -- ?????????????????

?????array_unique -- ????????? array_unshift -- ?????????????? array_values -- ????????? array_walk_recursive -- ?????????????????? array_walk -- ???????????????

?????array -- ??????

??????????arsort -- ???????????????? ??????????asort -- ?????????????? compact -- ????????????????? count -- ???????????????????

????current -- ??????????

?????each -- ????????????????????????

????end -- ???????????????? extract -- ????????????????

??????????in_array -- ????????????

?????key -- ??????????

??????????krsort -- ???????????

??????????ksort -- ?????????

????list -- ???????????? natcasesort -- ?�????�?????????????????? natsort -- ?�????�???????

????next -- ??????????????? pos -- current() ???

????prev -- ???????????? range -- ???????????????

?????reset -- ???????????????

?????rsort -- ??????? shuffle -- ?????

??????????sizeof -- count() ???

?????sort -- ????? uasort -- ????????????????????????????? uksort -- ??????????????????????? usort -- ??????????????????????

???? cal_days_in_month -- Return the number of days in a month for a given year and calendar cal_from_jd -- Converts from Julian Day Count to a supported calendar cal_info -- Returns information about a particular calendar cal_to_jd -- Converts from a supported calendar to Julian Day Count easter_date -- Get Unix timestamp for midnight on Easter of a given year easter_days -- Get number of days after March 21 on which Easter falls for a given year FrenchToJD -- Converts a date from the French Republican Calendar to a Julian Day Count GregorianToJD -- Converts a Gregorian date to Julian Day Count JDDayOfWeek -- Returns the day of the week JDMonthName -- Returns a month name JDToFrench -- Converts a Julian Day Count to the French Republican Calendar JDToGregorian -- Converts Julian Day Count to Gregorian date jdtojewish -- Converts a Julian day count to a Jewish calendar date JDToJulian -- Converts a Julian Day Count to a Julian Calendar Date jdtounix -- Convert Julian Day to Unix timestamp


?PHP??????????????
?????http://www.850500.com/news/70963.html
?????,??!