SQL injection vulnerability caused by the PHP is_numberic function

  • 2020-03-30 02:21:37
  • OfStack

I. introduction to is_numberic function
I've seen the is_numberic function in some of the CMS programs in the country, so let's look at the structure of this function
Bool is_numeric (mixed $var)
Var returns TRUE if it is a string of Numbers and Numbers, or FALSE if it is not.
Second, the function is safe
Let's look at an example of whether this function is safe or not.

$s = is_numeric($_GET['s'])?$_GET['s']:0;
$sql="insert into test(type)values($s);";  //Values ($s) not values('$s')
mysql_query($sql);

The above program is to determine whether the parameter s is a number. If it is, it returns a number. If it is not, it returns 0. (so you can't construct the SQL statement)
We convert '1 or 1' to hex 0x31206f722031 as the value of s parameter
After the program runs, we query the database to see the following figure:
< img border = 0 id = theimg onclick = window. The open this. (SRC) SRC = "/ / img.jbzj.com/file_images/article/201403/2014310115256623.jpg? 2014210115327 ">
If you re - query the table of the field out, without filtering into another SQL statement, will cause two injections.
Third, summary
Try not to use this function. If you do use this function, it is recommended to use a standard SQL statement with a single quote condition so that hexadecimal 0x31206f722031 is displayed in the database. Instead of 1 or 1.


Related articles: