in_array()函数松散比较-引发的漏洞 例子一则

Author： Zvall

去年的东西了,哈哈 大神飘过。。文章有不对的地方 求指正

$getActiveRole = admFuncVariableIsValid($_GET, 'active_role', 'boolean', 1);

// Navigation faengt hier im Modul an
$_SESSION['navigation']->clear();
$_SESSION['navigation']->addUrl(CURRENT_URL);

// Listen-SQL-Statement zusammensetzen
if($getActiveRole == 1)
{
    $sql_member_status = ' AND mem_begin <= \''.DATE_NOW.'\'
                           AND mem_end   >= \''.DATE_NOW.'\' ';
}
else
{
    $sql_member_status = ' AND mem_end < \''.DATE_NOW.'\' ';
}

$sql = 'SELECT rol.*, cat.*, 
               (SELECT COUNT(*) FROM '. TBL_MEMBERS. ' mem WHERE mem.mem_rol_id = rol.rol_id '.$sql_member_status.' AND mem_leader = 0) as num_members,
               (SELECT COUNT(*) FROM '. TBL_MEMBERS. ' mem WHERE mem.mem_rol_id = rol.rol_id '.$sql_member_status.' AND mem_leader = 1) as num_leader,
               (SELECT COUNT(*) FROM '. TBL_MEMBERS. ' mem WHERE mem.mem_rol_id = rol.rol_id AND mem_end < \''. DATE_NOW.'\') as num_former
          FROM '. TBL_ROLES. ' rol, '. TBL_CATEGORIES. ' cat
         WHERE rol_valid   = '.$getActiveRole.'
           AND rol_visible = 1
           AND rol_cat_id = cat_id 
           AND (  cat_org_id = '. $gCurrentOrganization->getValue('org_id'). '
               OR cat_org_id IS NULL ) ';

跟踪一下admFuncVariableIsValid：

function admFuncVariableIsValid($array, $variableName, $type, $defaultValue = null, $requireValue = false, $validValues = null, $directOutput = false)
{
	global $gL10n, $gMessage;
	
	$errorMessage = '';
	$type = admStrToLower($type);

    // only check if array entry exists and has a value
	if(isset($array[$variableName]) && strlen($array[$variableName]) > 0)
	{
		if($type == 'boolean')
		{
			// Boolean darf nur 2 Werte haben
			$validValues = array(0, 1);
		}
		
		if($validValues != null)
		{
			// Variable muss einen gueltigen Wert haben
			if(in_array(admStrToUpper($array[$variableName]), $validValues) == false
			&& in_array(admStrToLower($array[$variableName]), $validValues) == false)
			{
                $errorMessage = $gL10n->get('SYS_INVALID_PAGE_VIEW');
			}
		}
。。。。略。。

问题出在这里：if(in_array(admStrToUpper($array[$variableName]), $validValues) == false

&& in_array(admStrToLower($array[$variableName]), $validValues) == false)

测试一个例子：

bool(true)
bool(false)

这个例子和http://blog.csdn.net/fuck51cto/article/details/8951117 这遍文章有点像。

附上in_array()函数的分析