通常我们说的注入就是利用了 ecshop的sql错误提示显示出了MD5的密码 对网店来说是非常危险的!
找到 \includes\cls_mysql.php function ErrorMsg($message = '', $sql = '') { if ($message) { echo "<b>ECSHOP info</b>: $message\n\n<br /><br />"; //print('<a href="http://faq./?type=mysql&dberrno=2003&dberror=Can" target="_blank" rel="nofollow"> } else { echo "<b>MySQL server error report:"; print_r($this->error_message); //echo "<br /><br /><a href="http://faq./?type=mysql&dberrno=" target="_blank" rel="nofollow"> target='_blank'>http://faq./</a>"; }
修改为:
function ErrorMsg($message = '', $sql = '') { if ($message) { //echo "<b>ECSHOP info</b>: $message\n\n<br /><br />"; //print('<a href="http://faq./?type=mysql&dberrno=2003&dberror=Can" target="_blank" rel="nofollow"> } else { //echo "<b>MySQL server error report:"; //print_r($this->error_message); //echo "<br /><br /><a href="http://faq./?type=mysql&dberrno=" target="_blank" rel="nofollow"> target='_blank'>http://faq./</a>"; } exit; } exit; }
即把所有的错误输出屏蔽 这样很方便的就解决了注入问题。增加网店的安全系数! |
|