@xxliixin1993
2015-12-04T14:33:15.000000Z
字数 3162
阅读 2216
首先因为php7移除了一些扩展,像mysql,mssql都已经移除
在ZhishiRDHandle中使用的mysql_escape_string函数已经不在支持,为了便于测试,我在本地测试的时候直接删除了这个过滤的方法,建议之后是用mysqli和pdo的占位符的方式。
解决方案1:
就是使用拥有Prepared Statement机制的PDO和MYSQLi来代替
例如:
PDO:
$pdo = new PDO('mysql:dbname=dbtest;host=127.0.0.1;charset=utf8', 'root', '123456');
$pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$stmt = $pdo->prepare('SELECT * FROM user WHERE name = :name');
$stmt->execute(array('name' => $name));
MYSQLi:
$stmt = $dbConnection->prepare('SELECT * FROM user WHERE name = ?');
$stmt->bind_param('s', $name);
$stmt->execute();
$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
// do something with $row
}
解决方案2:
使用addslashes代替mysql_escape_string,mysql_real_escape_string 这种还是有addslashes和mysql_escape_string,mysql_real_escape_string还是有一定区别的
<?php
/*
CREATE TABLE `users` (
`username` varchar(32) CHARACTER SET gbk NOT NULL DEFAULT '',
`password` varchar(32) CHARACTER SET gbk DEFAULT NULL,
PRIMARY KEY (`username`)
)
*/
$mysqli = new mysqli("127.0.0.1", "root", "123456", "test");
$mysqli->query("SET NAMES 'gbk'");
/* SQL Injection Example */
$_POST['username'] = chr(0xbf) . chr(0x27) .' OR 1 = 1 #';
$_POST['password'] = 'lixin';
$username = addslashes($_POST['username']);
$password = addslashes($_POST['password']);
$sql = "SELECT * FROM users WHERE username = '{$username}' AND password = '{$password}'";
echo $sql.'<br/>';
$result = $mysqli->query($sql);
if ($result->num_rows) {
echo $result->num_rows.'<br>';
echo 'Success';
/* Success */
} else {
/* Failure */
echo 'Failure';
}
即可成功注入攻击。
总结:建议还是使用mysqli和pdo的占位符机制更安全。
报错是
preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /home/lixin/fang/trunk/include/Smarty/Smarty_Compiler.class.php on line 269
在Smarty_Compiler.class.php修改264-270行
/* replace special blocks by "{php}" */
$source_content = preg_replace($search.'e', "'"
. $this->_quote_replace($this->left_delimiter) . 'php'
. "' . str_repeat(\"\n\", substr_count('\\0', \"\n\")) .'"
. $this->_quote_replace($this->right_delimiter)
. "'"
, $source_content);
为
/* replace special blocks by "{php}" */
$source_content = preg_replace_callback($search, create_function ('$matches', "return '"
. $this->_quote_replace($this->left_delimiter) . 'php'
. "' . str_repeat(\"\n\", substr_count('\$matches[1]', \"\n\")) .'"
. $this->_quote_replace($this->right_delimiter)
. "';")
, $source_content);
Warning: Declaration of MySmarty::display($templateName, $time = false) should be compatible with Smarty::display($resource_name, $cache_id = NULL, $compile_id = NULL) in /home/lixin/fang/trunk/include/MySmarty.php on line 32
这是因为php7的错误发生了变化,具体见http://php.net/manual/zh/migration70.incompatible.php。这个不改应该也能跑。
在display()方法中多加了两个参数,
public function display($templateName, $time=false, $cache_id = NULL, $compile_id = NULL)