./code/profile.php
... $db = new db(); $SQL = "SELECT * FROM `{$dbprefix}user` WHERE `ID` = {$_COOKIE['User']['ID']}"; $Ue = $db -> SelectSQL($SQL,1); ...
这里有个通过$_cookie来进行SQL查询的,这套系统封装了自己的查询函数,跟进一下查询函数SelectSQL()的定义,在./class/db.class.php文件中
1 function SelectSQL($SQL,$ResultType=2){ 2 switch ($ResultType){ 3 case 0:$ResultType=MYSQL_NUM;break; 4 case 1:$ResultType=MYSQL_ASSOC;break; 5 default:$ResultType=MYSQL_BOTH;break; 6 } 7 $conn = $this->conn(); 8 mysql_select_db($this->dbname,$conn); 9 $result = mysql_query($SQL); 10 while($row = mysql_fetch_array($result,$ResultType)){$array[] = $row;} 11 mysql_free_result($result); 12 mysql_close($conn); 13 if(!is_array(@$array)){$array=array();} 14 return $array; 15 }
参数$SQL未经过滤直接入库查询了,一个sql inj就这么产生鸟,哦,对了,只能盲~