【警告】使用 phpBB 架站必讀 SQL INJECTION in phpBB 使用 phpBB 架站必讀 SQL INJECTION in phpBB Profile.PHP [url]http://www.phpbb.com/[/url] phpbb have a list of registereds users, when you click on a memebr of this list, you \ are requesting data to the database for example: [url]http://www.example.com/forum/profile.php?mode=viewprofile&u=2[/url] this url show the information to the user with the uid = 2, the uid is a number \ assigned to users in phpbb. but it isn't secure, because if you use this url, you can inject sql comands... exploit: [url]http://www.example.com/profile.php?mode=viewprofile&u=[/url]'[sqlcode] where [sql code] represents the code may be injected. |
那該怎麼解決呢? |
所有時間均為 +8。現在的時間是 12:39 PM。 |
XML | RSS 2.0 | RSS |
本論壇所有文章僅代表留言者個人意見,並不代表本站之立場,討論區以「即時留言」方式運作,故無法完全監察所有即時留言,若您發現文章可能有異議,請 email :[email protected] 處理。