我被问到一个问题，但是我什至无法开始回答，所以有人可以给我一个想法，就是开始如何回答这个问题，

我不是在寻找答案，而只是在寻找一些有关如何回答的教导

开始：

假设“ regsister_globals”和“ magic_quotes_gpc”已打开，那么这段代码有什么问题？记录可能的漏洞，然后修复以产生安全版本（存在4个错误）

$p = $_GET["p"];
if ($sp == "index.php") {

     if ($_get["id"] == 345)
          $filter - addslashes($_get["id"]);

     $sql = "SELECT * FROM users WHERE id = {$filter}";
     $row - mydql_fetch_assoc(mysql_query($sql));

     echo <<< HTML
     <html>
           ...... user details .....
     </html>
HTML.
} else
      include ($p);

这应该使您开始：

漏洞1：register_globals应该关闭-这是安全隐患。

$p = $_GET["p"];
// Where does $sp come from?
if ($sp == "index.php") {

     // What the hell? So much wrong with these two lines
     // 1. if id == 345 you don't need to addslashes
     // 2. "-" should be "="
     // 3. addslashes should be mysql_real_escape_string
     // 4. the if() should be removed so it runs every time
     if ($_get["id"] == 345)
          $filter - addslashes($_get["id"]);

     // SQL injection
     $sql = "SELECT * FROM users WHERE id = {$filter}";
     // Again with the "-" instead of "="
     // Typo in the function name
     // No error checking
     $row - mydql_fetch_assoc(mysql_query($sql));

     // No escaping of database input - vulnerable to XSS attacks
     echo <<< HTML
     <html>
           ...... user details .....
     </html>
HTML. // Should be ; not .
} else
{
      // I can include /etc/passwd by manipulating the URL
      include ($p);
}