[关闭]
@xxliixin1993 2015-12-04T14:33:15.000000Z 字数 3162 阅读 2216

updatePHP7


以知识站点为例

1. 修改ZhishiRDHandle

首先因为php7移除了一些扩展,像mysql,mssql都已经移除

在ZhishiRDHandle中使用的mysql_escape_string函数已经不在支持,为了便于测试,我在本地测试的时候直接删除了这个过滤的方法,建议之后是用mysqli和pdo的占位符的方式。

解决方案1
就是使用拥有Prepared Statement机制的PDO和MYSQLi来代替
例如:
PDO:

$pdo = new PDO('mysql:dbname=dbtest;host=127.0.0.1;charset=utf8', 'root', '123456');

$pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
    $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$stmt = $pdo->prepare('SELECT * FROM user WHERE name = :name');
$stmt->execute(array('name' => $name));

MYSQLi:

$stmt = $dbConnection->prepare('SELECT * FROM user WHERE name = ?');
$stmt->bind_param('s', $name);

$stmt->execute();

$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
    // do something with $row
}

解决方案2:
使用addslashes代替mysql_escape_string,mysql_real_escape_string 这种还是有addslashes和mysql_escape_string,mysql_real_escape_string还是有一定区别的

  1. <?php
  2. /*
  3. CREATE TABLE `users` (
  4. `username` varchar(32) CHARACTER SET gbk NOT NULL DEFAULT '',
  5. `password` varchar(32) CHARACTER SET gbk DEFAULT NULL,
  6. PRIMARY KEY (`username`)
  7. )
  8. */
  9. $mysqli = new mysqli("127.0.0.1", "root", "123456", "test");
  10. $mysqli->query("SET NAMES 'gbk'");
  11. /* SQL Injection Example */
  12. $_POST['username'] = chr(0xbf) . chr(0x27) .' OR 1 = 1 #';
  13. $_POST['password'] = 'lixin';
  14. $username = addslashes($_POST['username']);
  15. $password = addslashes($_POST['password']);
  16. $sql = "SELECT * FROM users WHERE username = '{$username}' AND password = '{$password}'";
  17. echo $sql.'<br/>';
  18. $result = $mysqli->query($sql);
  19. if ($result->num_rows) {
  20. echo $result->num_rows.'<br>';
  21. echo 'Success';
  22. /* Success */
  23. } else {
  24. /* Failure */
  25. echo 'Failure';
  26. }

即可成功注入攻击。

总结:建议还是使用mysqli和pdo的占位符机制更安全。

2. 修改Smarty_Compiler.class.php

报错是

 preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /home/lixin/fang/trunk/include/Smarty/Smarty_Compiler.class.php on line 269

在Smarty_Compiler.class.php修改264-270行

    /* replace special blocks by "{php}" */
    $source_content = preg_replace($search.'e', "'"
                                   . $this->_quote_replace($this->left_delimiter) . 'php'
                                   . "' . str_repeat(\"\n\", substr_count('\\0', \"\n\")) .'"
                                   . $this->_quote_replace($this->right_delimiter)
                                   . "'"
                                   , $source_content);

   /* replace special blocks by "{php}" */
   $source_content = preg_replace_callback($search, create_function ('$matches', "return '" 
                               . $this->_quote_replace($this->left_delimiter) . 'php' 
                               . "' . str_repeat(\"\n\", substr_count('\$matches[1]', \"\n\")) .'" 
                               . $this->_quote_replace($this->right_delimiter) 
                               . "';") 
                               , $source_content); 

3.修改MySmarty.class.php

Warning: Declaration of MySmarty::display($templateName, $time = false) should be compatible with Smarty::display($resource_name, $cache_id = NULL, $compile_id = NULL) in /home/lixin/fang/trunk/include/MySmarty.php on line 32

这是因为php7的错误发生了变化,具体见http://php.net/manual/zh/migration70.incompatible.php。这个不改应该也能跑。
在display()方法中多加了两个参数,cacheidcompile_id用来兼容父类方法

public function display($templateName, $time=false, $cache_id = NULL, $compile_id = NULL)
添加新批注
在作者公开此批注前,只有你和作者可见。
回复批注