'DEFAULT_FILTER' => 'strip_tags',
//也可以设置多种过滤方法
'DEFAULT_FILTER' => 'strip_tags,stripslashes',
从/ThinkPHP/Common/functions.php中可以找到I函数,源码如下:/**
* 获取输入参数 支持过滤和默认值
* 使用方法:
*
* I('id',0); 获取id参数 自动判断get或者post
* I('post.name','','htmlspecialchars'); 获取$_POST['name']
* I('get.'); 获取$_GET
*
* @param string $name 变量的名称 支持指定类型
* @param mixed $default 不存在的时候默认值
* @param mixed $filter 参数过滤方法
* @param mixed $datas 要获取的额外数据源
* @return mixed
*/
function I($name,$default='',$filter=null,$datas=null) {
static $_PUT = null;
if(strpos($name,'/')){ // 指定修饰符
list($name,$type) = explode('/',$name,2);
}elseif(C('VAR_AUTO_STRING')){ // 默认强制转换为字符串
$type = 's';
}
/*根据$name的格式获取数据:先判断参数的来源,然后再根据各种格式获取数据*/
if(strpos($name,'.')) {list($method,$name) = explode('.',$name,2);} // 指定参数来源
else{$method = 'param';}//设定为自动获取
switch(strtolower($method)) {
case 'get' : $input =& $_GET;break;
case 'post' : $input =& $_POST;break;
case 'put' : /*此处省略*/
case 'param' : /*此处省略*/
case 'path' : /*此处省略*/
}
/*对获取的数据进行过滤*/
if('' // 获取全部变量
$data = $input;
$filters = isset($filter)?$filter:C('DEFAULT_FILTER');
if($filters) {
if(is_string($filters)){$filters = explode(',',$filters);} //为多种过滤方法提供支持
foreach($filters as $filter){
$data = array_map_recursive($filter,$data); //循环过滤
}
}
}elseif(isset($input[$name])) { // 取值操作
$data = $input[$name];
$filters = isset($filter)?$filter:C('DEFAULT_FILTER');
if($filters) { /*对参数进行过滤,支持正则表达式验证*/
/*此处省略*/
}
if(!empty($type)){ //如果设定了强制转换类型
switch(strtolower($type)){
case 'a': $data = (array)$data;break; // 数组
case 'd': $data = (int)$data;break; // 数字
case 'f': $data = (float)$data;break; // 浮点
case 'b': $data = (boolean)$data;break; // 布尔
case 's': // 字符串
default:$data = (string)$data;
}
}
}else{ // 变量默认值
$data = isset($default)?$default:null;
}
is_array($data) && array_walk_recursive($data,'think_filter'); //如果$data是数组,那么用think_filter对数组过滤
return $data;
}
恩,函数基本分成三块://1536行 版本3.2.3最新添加
function think_filter(&$value){// 过滤查询特殊字符
if(preg_match('/^(EXP|NEQ|GT|EGT|LT|ELT|OR|XOR|LIKE|NOTLIKE|NOT BETWEEN|NOTBETWEEN|BETWEEN|NOTIN|NOT IN|IN)$/i',$value)){
$value .= ' ';
}
}
这个函数很简单,一眼就可以看出来,在一些特定的关键字后面加个空格。$data['id']=array('in'=>'1,2,3')
//经过think_filter过滤之后,会变成介个样子:
$data['id']=array('in '=>'1,2,3')
二、SQL注入//此次主要分析如下语句:
M('user')->where($map)->find(); //在user表根据$map的条件检索出一条数据
大概说一下TP的处理思路:// 主键名称
protected $pk = 'id';
// 字段信息
protected $fields = array();
// 数据信息
protected $data = array();
// 查询表达式参数
protected $optiOns= array();
// 链操作方法列表
protected $methods = array('strict','order','alias','having','group','lock','distinct','auto','filter','validate','result','token','index','force')
接下来分析where函数:
public function where($where,$parse=null){
//如果非数组格式,即where('id=%d&name=%s',array($id,$name)),对传递到字符串中的数组调用mysql里的escapeString进行处理
if(!is_null($parse) && is_string($where)) {
if(!is_array($parse)){ $parse = func_get_args();array_shift($parse);}
$parse = array_map(array($this->db,'escapeString'),$parse);
$where = vsprintf($where,$parse); //vsprintf() 函数把格式化字符串写入变量中
}elseif(is_object($where)){
$where = get_object_vars($where);
}
if(is_string($where) && '' != $where){
$map = array();
$map['_string'] = $where;
$where = $map;
}
//将$where赋值给$this->where
if(isset($this->options['where'])){
$this->options['where'] = array_merge($this->options['where'],$where);
}else{
$this->options['where'] = $where;
}
return $this;
}
where函数的逻辑很简单,如果是where('id=%d&name=%s',array($id,$name))这种格式,那就对$id,$name变量调用mysql里的escapeString进行处理。escapeString的实质是调用mysql_real_escape_string、addslashes等函数进行处理。//model.class.php 行721 版本3.2.3
public function find($optiOns=array()) {
if(is_numeric($options) || is_string($options)){ /*如果传递过来的数据是字符串,不是数组*/
$where[$this->getPk()] = $options;
$optiOns= array();
$options['where'] = $where; /*提取出查询条件,并赋值*/
}
// 根据主键查找记录
$pk = $this->getPk();
if (is_array($options) && (count($options) > 0) && is_array($pk)) {
/*构造复合主键查询条件,此处省略*/
}
$options['limit'] = 1; // 总是查找一条记录
$optiOns= $this->_parseOptions($options); // 分析表达式
if(isset($options['cache'])){
/*缓存查询,此处省略*/
}
$resultSet = $this->db->select($options);
if(false === $resultSet){ return false;}
if(empty($resultSet)) { return null; } // 查询结果为空
if(is_string($resultSet)){ return $resultSet;} //查询结果为字符串
// 读取数据后的处理,此处省略简写
$this->data = $this->_read_data($resultSet[0]);
return $this->data;
}
$Pk为主键,$options为表达式参数,本函数的作用就是完善成员变量――options数组,然后调用db层的select函数查询数据,处理后返回数据。protected function _parseOptions($optiOns=array()) { //分析表达式
if(is_array($options)){
$optiOns= array_merge($this->options,$options);
}
/*获取表名,此处省略*/
/*添加数据表别名,此处省略*/
$options['model'] = $this->name;// 记录操作的模型名称
/*对数组查询条件进行字段类型检查,如果在合理范围内,就进行过滤处理;否则抛出异常或者删除掉对应字段*/
if(isset($options['where']) && is_array($options['where']) && !empty($fields) && !isset($options['join'])){
foreach ($options['where'] as $key=>$val){
$key = trim($key);
if(in_array($key,$fields,true)){ //如果$key在数据库字段内,过滤以及强制类型转换之
if(is_scalar($val)) {
/*is_scalar 检测是否为标量。标量是指integer、float、string、boolean的变量,array则不是标量。*/
$this->_parseType($options['where'],$key);
}
}elseif(!is_numeric($key) && '_' != substr($key,0,1) && false === strpos($key,'.') && false === strpos($key,'(') && false === strpos($key,'|') && false === strpos($key,'&')){
// 如果$key不是数字且第一个字符不是_,不存在.(|&等特殊字符
if(!empty($this->options['strict'])){ //如果是strict模式,抛出异常
E(L('_ERROR_QUERY_EXPRESS_').':['.$key.'=>'.$val.']');
}
unset($options['where'][$key]); //unset掉对应的值
}
}
}
$this->optiOns= array(); // 查询过后清空sql表达式组装 避免影响下次查询
$this->_options_filter($options); // 表达式过滤
return $options;
}
本函数的结构大概是,先获取了表名,模型名,再对数据进行处理:如果该条数据不在数据库字段内,则做出异常处理或者删除掉该条数据。否则,进行_parseType处理。parseType此处不再跟进,功能为:数据类型检测,强制类型转换包括int,float,bool型的三种数据。// 数据库表达式
protected $exp = array(&#039;eq&#039;=>&#039;=&#039;,&#039;neq&#039;=>&#039;<>&#039;,&#039;gt&#039;=>&#039;>&#039;,&#039;egt&#039;=>&#039;>=&#039;,&#039;lt&#039;=>&#039;<&#039;,&#039;elt&#039;=>&#039;<=&#039;,&#039;notlike&#039;=>&#039;NOT LIKE&#039;,&#039;like&#039;=>&#039;LIKE&#039;,&#039;in&#039;=>&#039;IN&#039;,&#039;notin&#039;=>&#039;NOT IN&#039;,&#039;not in&#039;=>&#039;NOT IN&#039;,&#039;between&#039;=>&#039;BETWEEN&#039;,&#039;not between&#039;=>&#039;NOT BETWEEN&#039;,&#039;notbetween&#039;=>&#039;NOT BETWEEN&#039;);
// 查询表达式
protected $selectSql = &#039;SELECT%DISTINCT% %FIELD% FROM %TABLE%%FORCE%%JOIN%%WHERE%%GROUP%%HAVING%%ORDER%%LIMIT% %UNION%%LOCK%%COMMENT%&#039;;
// 当前SQL指令
protected $queryStr = &#039;&#039;;
// 参数绑定
protected $bind = array();
select函数:
public function select($optiOns=array()) {
$this->model = $options[&#039;model&#039;];
$this->parseBind(!empty($options[&#039;bind&#039;])?$options[&#039;bind&#039;]:array());
$sql = $this->buildSelectSql($options);
$result = $this->query($sql,!empty($options[&#039;fetch_sql&#039;]) ? true : false);
return $result;
}
版本3.2.3经过改进之后,select精简了不少。parseBind函数是绑定参数,用于pdo查询,此处不表。public function buildSelectSql($optiOns=array()) {
if(isset($options[&#039;page&#039;])) {
/*页码计算及处理,此处省略*/
}
$sql = $this->parseSql($this->selectSql,$options);
return $sql;
}
/* 替换SQL语句中表达式*/
public function parseSql($sql,$optiOns=array()){
$sql = str_replace(
array(&#039;%TABLE%&#039;,&#039;%DISTINCT%&#039;,&#039;%FIELD%&#039;,&#039;%JOIN%&#039;,&#039;%WHERE%&#039;,&#039;%GROUP%&#039;,&#039;%HAVING%&#039;,&#039;%ORDER%&#039;,&#039;%LIMIT%&#039;,&#039;%UNION%&#039;,&#039;%LOCK%&#039;,&#039;%COMMENT%&#039;,&#039;%FORCE%&#039;),
array(
$this->parseTable($options[&#039;table&#039;]),
$this->parseDistinct(isset($options[&#039;distinct&#039;])?$options[&#039;distinct&#039;]:false),
$this->parseField(!empty($options[&#039;field&#039;])?$options[&#039;field&#039;]:&#039;*&#039;),
$this->parseJoin(!empty($options[&#039;join&#039;])?$options[&#039;join&#039;]:&#039;&#039;),
$this->parseWhere(!empty($options[&#039;where&#039;])?$options[&#039;where&#039;]:&#039;&#039;),
$this->parseGroup(!empty($options[&#039;group&#039;])?$options[&#039;group&#039;]:&#039;&#039;),
$this->parseHaving(!empty($options[&#039;having&#039;])?$options[&#039;having&#039;]:&#039;&#039;),
$this->parseOrder(!empty($options[&#039;order&#039;])?$options[&#039;order&#039;]:&#039;&#039;),
$this->parseLimit(!empty($options[&#039;limit&#039;])?$options[&#039;limit&#039;]:&#039;&#039;),
$this->parseUnion(!empty($options[&#039;union&#039;])?$options[&#039;union&#039;]:&#039;&#039;),
$this->parseLock(isset($options[&#039;lock&#039;])?$options[&#039;lock&#039;]:false),
$this->parseComment(!empty($options[&#039;comment&#039;])?$options[&#039;comment&#039;]:&#039;&#039;),
$this->parseForce(!empty($options[&#039;force&#039;])?$options[&#039;force&#039;]:&#039;&#039;)
),$sql);
return $sql;
}
可以看到,在parseSql中用正则表达式拼接了sql语句,但并没有直接的去处理各种插叙你的数据格式,而是在解析变量的过程中调用了多个函数,此处拿parseWhere举例子。protected function parseWhere($where) {
$whereStr = &#039;&#039;;
if(is_string($where)) { // 直接使用字符串条件
$whereStr = $where;
}
else{ // 使用数组表达式
/*设定逻辑规则,如or and xor等,默认为and,此处省略*/
$operate=&#039; AND &#039;;
/*解析特殊格式的表达式并且格式化输出*/
foreach ($where as $key=>$val){
if(0===strpos($key,&#039;_&#039;)) { // 解析特殊条件表达式
$whereStr .= $this->parseThinkWhere($key,$val);
}
else{ // 查询字段的安全过滤
$multi = is_array($val) && isset($val[&#039;_multi&#039;]); //判断是否有复合查询
$key = trim($key);
/*处理字段中包含的| &逻辑*/
if(strpos($key,&#039;|&#039;)) { // 支持 name|title|nickname 方式定义查询字段
/*将|换成or,并格式化输出,此处省略*/
}
elseif(strpos($key,&#039;&&#039;)){
/*将&换成and,并格式化输出,此处省略*/
}
else{
$whereStr .= $this->parseWhereItem($this->parseKey($key),$val);
}
}
$whereStr .= $operate;
}
$whereStr = substr($whereStr,0,-strlen($operate));
}
return empty($whereStr)?&#039;&#039;:&#039; WHERE &#039;.$whereStr;
}
// where子单元分析
protected function parseWhereItem($key,$val) {
$whereStr = &#039;&#039;;
if(is_array($val)){
if(is_string($val[0])){
$exp = strtolower($val[0]);
//如果是$map[&#039;id&#039;]=array(&#039;eq&#039;,100)一类的结构,那么解析成数据库可执行格式
if(preg_match(&#039;/^(eq|neq|gt|egt|lt|elt)$/&#039;,$exp)){
$whereStr .= $key.&#039; &#039;.$this->exp[$exp].&#039; &#039;.$this->parseValue($val[1]);
}
//如果是模糊查找格式
elseif(preg_match(&#039;/^(notlike|like)$/&#039;,$exp)){// 模糊查找,$map[&#039;name&#039;]=array(&#039;like&#039;,&#039;thinkphp%&#039;);
if(is_array($val[1])) { //解析格式如下:$map[&#039;b&#039;] =array(&#039;notlike&#039;,array(&#039;%thinkphp%&#039;,&#039;%tp&#039;),&#039;AND&#039;);
$likeLogic = isset($val[2])?strtoupper($val[2]):&#039;OR&#039;; //如果没有设定逻辑结构,则默认为OR
if(in_array($likeLogic,array(&#039;AND&#039;,&#039;OR&#039;,&#039;XOR&#039;))){
/* 根据逻辑结构,组合语句,此处省略*/
$whereStr .= &#039;(&#039;.implode(&#039; &#039;.$likeLogic.&#039; &#039;,$like).&#039;)&#039;;
}
}
else{
$whereStr .= $key.&#039; &#039;.$this->exp[$exp].&#039; &#039;.$this->parseValue($val[1]);
}
}elseif(&#039;bind&#039; == $exp ){ // 使用表达式,pdo数据绑定
$whereStr .= $key.&#039; = :&#039;.$val[1];
}elseif(&#039;exp&#039; == $exp ){ // 使用表达式 $map[&#039;id&#039;] = array(&#039;exp&#039;,&#039; IN (1,3,8) &#039;);
$whereStr .= $key.&#039; &#039;.$val[1];
}elseif(preg_match(&#039;/^(notin|not in|in)$/&#039;,$exp)){ //IN运算 $map[&#039;id&#039;] = array(&#039;not in&#039;,&#039;1,5,8&#039;);
if(isset($val[2]) && &#039;exp&#039;==$val[2]){
$whereStr .= $key.&#039; &#039;.$this->exp[$exp].&#039; &#039;.$val[1];
}else{
if(is_string($val[1])) {
$val[1] = explode(&#039;,&#039;,$val[1]);
}
$zOne= implode(&#039;,&#039;,$this->parseValue($val[1]));
$whereStr .= $key.&#039; &#039;.$this->exp[$exp].&#039; (&#039;.$zone.&#039;)&#039;;
}
}elseif(preg_match(&#039;/^(notbetween|not between|between)$/&#039;,$exp)){ //BETWEEN运算
$data = is_string($val[1])? explode(&#039;,&#039;,$val[1]):$val[1];
$whereStr .= $key.&#039; &#039;.$this->exp[$exp].&#039; &#039;.$this->parseValue($data[0]).&#039; AND &#039;.$this->parseValue($data[1]);
}else{ //否则抛出异常
E(L(&#039;_EXPRESS_ERROR_&#039;).&#039;:&#039;.$val[0]);
}
}
else{ //解析如:$map[&#039;status&score&title&#039;] =array(&#039;1&#039;,array(&#039;gt&#039;,&#039;0&#039;),&#039;thinkphp&#039;,&#039;_multi&#039;=>true);
$count = count($val);
$rule = isset($val[$count-1]) ? (is_array($val[$count-1]) ? strtoupper($val[$count-1][0]) : strtoupper($val[$count-1]) ) : &#039;&#039; ;
if(in_array($rule,array(&#039;AND&#039;,&#039;OR&#039;,&#039;XOR&#039;))){
$count = $count -1;
}else{
$rule = &#039;AND&#039;;
}
for($i=0;$i<$count;$i++){
$data = is_array($val[$i])?$val[$i][1]:$val[$i];
if(&#039;exp&#039;==strtolower($val[$i][0])) {
$whereStr .= $key.&#039; &#039;.$data.&#039; &#039;.$rule.&#039; &#039;;
}else{
$whereStr .= $this->parseWhereItem($key,$val[$i]).&#039; &#039;.$rule.&#039; &#039;;
}
}
$whereStr = &#039;( &#039;.substr($whereStr,0,-4).&#039; )&#039;;
}
}
else {
//对字符串类型字段采用模糊匹配
$likeFields = $this->config[&#039;db_like_fields&#039;];
if($likeFields && preg_match(&#039;/^(&#039;.$likeFields.&#039;)$/i&#039;,$key)) {
$whereStr .= $key.&#039; LIKE &#039;.$this->parseValue(&#039;%&#039;.$val.&#039;%&#039;);
}else {
$whereStr .= $key.&#039; = &#039;.$this->parseValue($val);
}
}
return $whereStr;
}
protected function parseThinkWhere($key,$val) { //解析特殊格式的条件
$whereStr = &#039;&#039;;
switch($key) {
case &#039;_string&#039;:$whereStr = $val;break; // 字符串模式查询条件
case &#039;_complex&#039;:$whereStr = substr($this->parseWhere($val),6);break; // 复合查询条件
case &#039;_query&#039;:// 字符串模式查询条件
/*处理逻辑结构,并且格式化输出字符串,此处省略*/
}
return &#039;( &#039;.$whereStr.&#039; )&#039;;
}
上面的两个函数很长,我们再精简一些来看:parseWhere首先判断查询数据是不是字符串,如果是字符串,直接返回字符串,否则,遍历查询条件的数组,挨个解析。AD:真正免费,域名+虚机+企业邮箱=0元