Two days ago, someone used PHP injection to submit flash game scores on a friend's website. Later, when I looked for the cause, I found out that it was caused by a parameter that did not perform numerical judgment.
Originally, saving game scores is implemented in the form of game.php?ac=save&fgid=1. The fgid is called directly in the php web page without any filtering. Many people use adding a letter (fgid=1a) after fgid=1 to achieve some illegal operations.
Suppose there is a game in the gamlist table with an fgid of 102
select gname from gamelist where fgid='102′;
select gname from gamelist where fgid='102a';
In this way, you can successfully find the game name gname, which provides many people with an opportunity
It is recommended that you filter the key parameters. Such as digital regular filtering
An online method to determine whether an ID is a number
The difference between these two methods is that is_numeric will also treat decimals as numbers, while the previous regular expression will treat decimal points as characters.
Attached are some commonly used regular operations:
Verification number: ^[0-9]*$
Verify n-digit number: ^d{n}$
Verify at least n digits: ^d{n,}$
Verify m-n digit number: ^d{m,n}$
Verify numbers starting with zero and non-zero: ^(0|[1-9][0-9]*)$
Verify a positive real number with two decimal places: ^[0-9] (.[0-9]{2})?$
Verify positive real numbers with 1-3 decimal places: ^[0-9] (.[0-9]{1,3})?$
Verify non-zero positive integers: ^?[1-9][0-9]*$
Verify non-zero negative integers: ^-[1-9][0-9]*$
Verify non-negative integer (positive integer 0) ^d $
Verify non-positive integer (negative integer 0) ^((-d )|(0 ))$
Validate characters of length 3: ^.{3}$
Verify a string consisting of 26 English letters: ^[A-Za-z] $
Verify a string consisting of 26 uppercase English letters: ^[A-Z] $
Verify a string consisting of 26 lowercase English letters: ^[a-z] $
Verify a string consisting of numbers and 26 English letters: ^[A-Za-z0-9] $
Verify a string consisting of numbers, 26 English letters, or underscores: ^w $
Verify user password: ^[a-zA-Z]w{5,17}$ The correct format is: starting with a letter, the length is between 6-18, and can only contain characters, numbers and underscores.
Verify whether it contains characters such as ^%&‘,;=?$”: [^%&‘,;=?$x22]
Verify Chinese characters: ^[u4e00-u9fa5],{0,}$
Verify email address: ^w [- .]w )*@w ([-.]w )*.w ([-.]w )*$
Verify InternetURL: ^http://([w-] .) [w-] (/[w-./?%&=]*)?$ ; ^[a-zA-z] ://(w ( -w )*)(.(w (-w )*))*(?S*)?$
Verification phone number: ^((d{3,4})|d{3,4}-)?d{7,8}$: – The correct format is: XXXX-XXXXXXX, XXXX-XXXXXXXX, XXX-XXXXXXX, XXX -XXXXXXXX, XXXXXXX, XXXXXXXX.
Verify ID number (15 or 18 digits): ^d{15}|d{}18$
Verify the 12 months of a year: ^(0?[1-9]|1[0-2])$ The correct format is: "01"-"09" and "1" "12"
Verify the 31 days of a month: ^((0?[1-9])|((1|2)[0-9])|30|31)$ The correct format is: 01, 09 and 1, 31.
Integer: ^-?d $
Non-negative floating point number (positive floating point number 0): ^d (.d )?$
Positive floating point number ^(([0-9] .[0-9]*[1-9][0-9]*)|([0-9]*[1-9][0-9]*. [0-9] )|([0-9]*[1-9][0-9]*))$
Non-positive floating point number (negative floating point number 0) ^((-d (.d )?)|(0 (.0 )?))$
Negative floating point number ^(-(([0-9] .[0-9]*[1-9][0-9]*)|([0-9]*[1-9][0-9] *.[0-9] )|([0-9]*[1-9][0-9]*)))$
Floating point number ^(-?d )(.d )?