/wss/default_task_add.php? csa_to_user未過濾直接帶進SQL查詢 $to_user = -1;if (isset($_POST[csa_to_user])) {$to_user= $_POST[csa_to_user];}mysql_select_db($database_tankdb, $tankdb);$query_touser = SELECT * FROM tk_user WHERE tk_user_login =
csa_to_user未過濾直接帶進SQL查詢
$to_user = "-1";
if (isset($_POST['csa_to_user'])) {
$to_user= $_POST['csa_to_user'];
}
mysql_select_db($database_tankdb, $tankdb);
$query_touser = "SELECT * FROM tk_user WHERE tk_user_login = '$to_user'";
$touser = mysql_query($query_touser, $tankdb) or die(mysql_error());
可使用查詢使用者密碼
SELECT * FROM `tk_user` WHERE tk_user_login = 'admin' AND substring(`tk_user_pass`,1,1)='a'
修复方案:
GetSQLValueString($_POST['csa_to_user'], "text")
GetSQLValueString($_POST['csa_to_user'], "text")