【警告】使用 phpBB 架站必讀 SQL INJECTION in phpBB

**TAIWAN** · 2003-11-23, 10:01 PM

使用 phpBB 架站必讀 SQL INJECTION in phpBB Profile.PHP

http://www.phpbb.com/

phpbb have a list of registereds users, when you click on a memebr of this list, you \ are requesting data to the database

for example:

http://www.example.com/forum/profile...iewprofile&u=2

this url show the information to the user with the uid = 2, the uid is a number \ assigned to users in phpbb.

but it isn't secure, because if you use this url, you can inject sql comands...

exploit:

http://www.example.com/profile.php?mode=viewprofile&u='[sqlcode]

where [sql code] represents the code may be injected.

**victorinoxs** · 2003-11-24, 04:27 AM

那該怎麼解決呢？

【警告】使用 phpBB 架站必讀 SQL INJECTION in phpBB

主題: 【警告】使用 phpBB 架站必讀 SQL INJECTION in phpBB

主題工具