由于程序是开源程序

并下载其程序看了一番。其实程序员还是有一点安全意识的：

防注入代码：

复制代码代码如下:

//要过滤的非法字符

$ArrFiltrate = array (

"#union#i",

"#<script#i",

"#/script>#i",

"#select#i",

"#alert#i",

"#javascript#i",

"#<table#i",

"#<td#i",

"#"#i",

"#'#i",

"#delete#i",

"#vbscript#i",

"#applet#i",

"#frame#i",

"#<div#i",

"#update#i",

"#'#i",

"#union #i",

"#select #i",

"#delete #i",

"#update #i",

"#and #i",

"#;#i",

"#update#i"

);

$replacements='';

function FunStringExist(&$array,$ArrFiltrate,$replacements)

{

if (is_array($array))

{

foreach ($array as $key => $value)

{

if (is_array($value))

FunStringExist($array[$key],$ArrFiltrate,$replacements);

else

$array[$key] = preg_replace($ArrFiltrate, $replacements, $value);

}

}

}

FunStringExist($_GET,$ArrFiltrate,$replacements);

FunStringExist($_POST,$ArrFiltrate,$replacements);

这段代码多少还是有瑕疵的、只过滤 get post 我们只要找调用request的地方

别一个文件并没有调用防注入程序，导致字符注入、但受gpc影响

复制代码代码如下:

header("Content-Type:text/html;charset=utf-8");

include "../comm/config.php";

$uname = trim($_GET["name"]);

if($uname==''){

echo "true";

}else{

$con = @mysql_connect("$dbserver","$dbuser","$dbpass" )or die(ERR_DB);

mysql_select_db("$dbname",$con)or die("can not choose the dbname!");

$query="select * from ".$BIAOTOU."user where ddusername='".$uname."'";

mysql_query("set names utf8");

$res=mysql_query($query);

if(mysql_num_rows($res)!=0)

{echo "true";}

else

{echo "false";}

}

首先注册一个用户.让程序能过判断

ckuser.php?name=maxadd' and 1=1 and ''='

返回true

ckuser.php?name=maxadd' and 1=2 and ''='

返回false