From e268c4c1dad5ded2f2b6c03f4f74e768b64fcd00 Mon Sep 17 00:00:00 2001 From: naixiao <2641502441@qq.com> Date: Thu, 20 Nov 2025 21:43:44 +0800 Subject: [PATCH 1/2] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=20function.php=20?= =?UTF-8?q?=E4=B8=AD=E7=9A=84=20SQL=20=E6=B3=A8=E5=85=A5=E6=BC=8F=E6=B4=9E?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - 在 if_login() 函数中使用预处理语句替换危险的字符串拼接 - 将模糊匹配(LIKE)改为精确匹配(=)提高安全性 - 修复身份验证绕过漏洞,防止 SQL 注入攻击 验证结果: - 使用 SQLMap 测试确认注入漏洞已修复 - 用户查询功能正常工作 --- function.php | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/function.php b/function.php index 570ca39..6820388 100644 --- a/function.php +++ b/function.php @@ -65,16 +65,25 @@ function if_login() { if (isset($_SESSION['user'])) { $user = $_SESSION['user']; $connectDatabase = connectDatabase(); - $sql = "SELECT * FROM `admin` WHERE `user` LIKE '$user'"; - $result = $connectDatabase->query($sql); + + // 使用预处理语句 + $sql = "SELECT * FROM `admin` WHERE `user` = ?"; + $stmt = $connectDatabase->prepare($sql); + $stmt->bind_param("s", $user); + $stmt->execute(); + $result = $stmt->get_result(); + if ($result->num_rows == 1) { - return true; + $stmt->close(); + $connectDatabase->close(); + return true; } + + $stmt->close(); $connectDatabase->close(); } return false; } - function login() { $user = $_POST['user']; $pass = $_POST['pass']; From 305b4c1cfb69a3378f4a49e25c77e5d0ebcf3938 Mon Sep 17 00:00:00 2001 From: naixiao <2641502441@qq.com> Date: Thu, 20 Nov 2025 21:54:31 +0800 Subject: [PATCH 2/2] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=20login()=20?= =?UTF-8?q?=E5=87=BD=E6=95=B0=E4=B8=AD=E7=9A=84=20SQL=20=E6=B3=A8=E5=85=A5?= =?UTF-8?q?=E6=BC=8F=E6=B4=9E?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - 在 login() 函数中使用预处理语句替换危险的字符串拼接 - 使用参数化查询防止用户输入直接拼接到 SQL 语句中 - 修复身份验证绕过漏洞,防止 SQL 注入攻击 验证结果: - 使用 SQLMap 测试确认注入漏洞已修复 - 用户登录功能正常工作 - 密码验证和会话设置逻辑保持正常" --- function.php | 48 +++++++++++++++++++++++++++++++----------------- 1 file changed, 31 insertions(+), 17 deletions(-) diff --git a/function.php b/function.php index 6820388..bc6ee8c 100644 --- a/function.php +++ b/function.php @@ -87,30 +87,44 @@ function if_login() { function login() { $user = $_POST['user']; $pass = $_POST['pass']; - $sql = "SELECT * FROM `admin` WHERE `user` = '$user'"; - + $connectDatabase = connectDatabase(); - $result = $connectDatabase->query($sql); -if($result){ - if ($result->num_rows == 1) { - $row = $result->fetch_assoc(); - if ($pass == $row['pass']) { - $_SESSION['user'] = $user; - $response["success"] = true; - $response["message"] = "登录成功,感谢使用"; + + // 使用预处理语句防止SQL注入 + $sql = "SELECT * FROM `admin` WHERE `user` = ?"; + $stmt = $connectDatabase->prepare($sql); + + if ($stmt) { + $stmt->bind_param("s", $user); + $stmt->execute(); + $result = $stmt->get_result(); + + if($result){ + if ($result->num_rows == 1) { + $row = $result->fetch_assoc(); + if ($pass == $row['pass']) { + $_SESSION['user'] = $user; + $response["success"] = true; + $response["message"] = "登录成功,感谢使用"; + } else { + $response["success"] = false; + $response["message"] = "密码错误"; + } + } else { + $response["success"] = false; + $response["message"] = "账号不存在"; + } } else { $response["success"] = false; - $response["message"] = "密码错误"; + $response["message"] = "查询失败,可能是数据库出现问题"; } + + $stmt->close(); } else { $response["success"] = false; - $response["message"] = "账号不存在"; + $response["message"] = "数据库查询准备失败"; } -}else{ - $response["success"] = false; - $response["message"] = "查询失败,可能是数据库出现问题"; -} - + $connectDatabase->close(); return json_encode($response); }