通常我们说的注入就是利用了 ecshop的sql错误提示显示出了MD5的密码
对网店来说是非常危险的!
要解决这个问题,最好的方法当然就屏蔽ecshop的sql错误,这样,无论如何的注入都束手无策!
直接看代码:
找到 \includes\cls_mysql.php
function ErrorMsg($message = '', $sql = ''){if ($message){echo "<b>ECSHOP info</b>: $message\n\n<br /><br />";//print('<a href="http://faq.comsenz.com/?type=mysql&dberrno=2003&dberror=Can" target="_blank" rel="nofollow">}else{echo "<b>MySQL server error report:";print_r($this->error_message);//echo "<br /><br /><a href="http://faq.comsenz.com/?type=mysql&dberrno=" target="_blank" rel="nofollow">target='_blank'>http://faq.comsenz.com/</a>"; }
修改为:
function ErrorMsg($message = '', $sql = ''){if ($message){//echo "<b>ECSHOP info</b>: $message\n\n<br /><br />";//print('<a href="http://faq.comsenz.com/?type=mysql&dberrno=2003&dberror=Can" target="_blank" rel="nofollow">}else{//echo "<b>MySQL server error report:";//print_r($this->error_message);//echo "<br /><br /><a href="http://faq.comsenz.com/?type=mysql&dberrno=" target="_blank" rel="nofollow">target='_blank'>http://faq.comsenz.com/</a>"; }exit;} exit;}
即把所有的错误输出屏蔽 这样很方便的就解决了注入问题。增加网店的安全系数!
联系客服