1. Description
The intval function has a characteristic: "The conversion will not start until it encounters a number or a positive or negative sign, and the conversion will end when it encounters a non-number or the end of the string (/0)." In some cases Due to insufficient understanding of the characteristics of the intval function in the application, incorrect use leads to bypassing some security judgments and leading to security vulnerabilities.
2. Analysis
|
PHP_FUNCTION(intval)
{
zval **num, **arg_base;
int base;
switch (ZEND_NUM_ARGS()) {
case 1:
if (zend_get_parameters_ex(1, &num) == FAILURE) {
WRONG_PARAM_COUNT;
}
base = 10;
break;
case 2:
if (zend_get_parameters_ex(2, &num, &arg_base) == FAILURE) {
WRONG_PARAM_COUNT;
}
convert_to_long_ex(arg_base);
base = Z_LVAL_PP(arg_base);
break;
default:
WRONG_PARAM_COUNT;
}
RETVAL_ZVAL(*num, 1, 0);
convert_to_long_base(return_value, base);
}
Zend/zend_operators.c->>convert_to_long_base()
……
case IS_STRING:
strval = Z_STRVAL_P(op);
Z_LVAL_P(op) = strtol(strval, NULL, base);
STR_FREE(strval); break;
| PHP_FUNCTION(intval) { zval **num, **arg_base; int base; | long int strtol(const char *nptr,char **endptr,int base); |
switch (ZEND_NUM_ARGS()) {
case 1:
if (zend_get_parameters_ex(1, &num) == FAILURE) {
WRONG_PARAM_COUNT;
}
base = 10;
|
//intval.php
$var="20070601";
if (intval($var))
echo "it's safe";
echo '$var='.$var;
echo "
";
$var1="1 union select 1,1,1 from admin";
if (intval($var1))
echo "it's safe too"; echo '$var1='.$var1;
| break; case 2: if (zend_get_parameters_ex(2, &num, &arg_base) == FAILURE) { | WordPress <= 2.0.6 wp-trackback.php Zend_Hash_Del_Key_Or_Index / sql injection exploit | WRONG_PARAM_COUNT; } Convert_to_long_ex(arg_base); base = Z_LVAL_PP(arg_base); break; default: WRONG_PARAM_COUNT; RETVAL_ZVAL(*num, 1, 0); convert_to_long_base(return_value, base); >convert_to_long_base() case IS_STRING: strval = Z_STRVAL_P(op); Z_LVAL_P(op) = strtol(strval, NULL, base); STR_FREE(strval); break; |
When the intval function accepts a string type The parameters are processed by calling convert_to_long_base(), and then Z_LVAL_P(op) = strtol(strval, NULL, base); is called to process the parameters through the strtol function. The function prototype is as follows: This function will convert the parameter nptr string into a long integer according to the parameter base, which ranges from 2 to 36 , or 0. The parameter base represents the base system used. If the base value is 10, decimal system is used. If the base value is 16, hexadecimal system is used. etc. The process is: strtol() will scan the parameter nptr string, skip the preceding space characters, and do not start conversion until it encounters numbers or positive and negative symbols, and then encounters non-digits Or when the string ends (/0), the conversion ends and the result is returned. Then when intval is used in judgments such as if, it will cause the judgment to be meaningless, leading to security vulnerabilities.3. Test code
| // intval.php $var="20070601"; if (intval($var)) echo "it's safe"; echo ' $var='.$var; echo ""; $var1="1 union select 1,1,1 from admin"; if (intval($var1)) echo "it's safe too"; echo '$var1='.$var1; |
4. Practical Application
http://www.bkjia.com/PHPjc/371450.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/371450.htmlTechArticle1. Description of the intval function has a characteristic: "It does not start conversion until it encounters a number or a positive or negative sign, and then "End conversion when encountering a non-digit or the end of a string (/0)", in some applications due to...
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
