vbb3.0x邀请注册hack的一个严?bug

register.php的部分修改

 

//*********************注册?验??功*********************
if($vboptions[‘reg_offon’])
{
  $fusername=$_POST[‘username’];
  $message=”您申请的注册? $cofe 已?被您的朋? $fusername ?功注册?”;            
 $DB_site->query(“UPDATE “. TABLE_PREFIX . “regcode  SET  open=0 WHERE regcodeid=$codeinfo[regcodeid] “);
                $DB_site->query(“INSERT INTO ” . TABLE_PREFIX . “pmtext\n\t(fromuserid, fromusername, title, message, touserarray, iconid, dateline, showsignature, allowsmilie)\n\t VALUES(2, ‘管?员’, ‘您申请的注册??功被注册’, ‘$message’, ‘” . addslashes(serialize(array($bbuserinfo[‘username’]))) . “‘, ”, ” . TIMENOW . “, 1, 1)”);
                $pmtextid = $DB_site->insert_id();
                $DB_site->query(“INSERT INTO ” . TABLE_PREFIX . “pm (pmtextid, userid) VALUES ($pmtextid, $codeinfo[userid])”);
                $DB_site->query(“UPDATE ” . TABLE_PREFIX . “user SET  pmtotal=pmtotal+1, pmunread=pmunread+1 WHERE $codeinfo[userid]”);
}
//*********************************************************

这个sql?作的WHERE中缺少’userid=’,结果会导致所有用户的悄悄?计数错误。

$DB_site->query(“UPDATE ” . TABLE_PREFIX . “user SET  pmtotal=pmtotal+1, pmunread=pmunread+1 WHERE $codeinfo[userid]”);
 正确的语?是

$DB_site->query(“UPDATE ” . TABLE_PREFIX . “user SET  pmtotal=pmtotal+1, pmunread=pmunread+1 WHERE userid = $codeinfo[userid]”);

 

?外一个需?修改的代?reg_code.php:

第148行

**********************************

       $DB_site->query(“UPDATE ” . TABLE_PREFIX . “user SET  pmtotal=pmtotal+1, pmunread=pmunread+1,money=money-$vboptions[reg_money] WHERE $bbuserinfo[userid]”);

**********************************

?样?改为:

**********************************

       $DB_site->query(“UPDATE ” . TABLE_PREFIX . “user SET  pmtotal=pmtotal+1, pmunread=pmunread+1,money=money-$vboptions[reg_money] WHERE userid = $bbuserinfo[userid]”);

**********************************

 

如果已??幸的用了这个错误语?使悄悄?计数错误的?,以下语??以修正

//数?库连接
include_once(“include/conf.php”);

$result = mysql_query(“SELECT * FROM user ORDER BY userid”);
while($row = mysql_fetch_array($result)){
 $result1 = mysql_query(“SELECT count(*) AS pmtotal FROM pm WHERE userid = “.$row[‘userid’]);
 $row1 = mysql_fetch_array($result1);
 $result2 = mysql_query(“SELECT count(*) AS pmtotal FROM pm WHERE userid = “.$row[‘userid’].” AND messageread=0″);
 $row2 = mysql_fetch_array($result2);
 echo “UPDATE user SET pmtotal=”.$row1[‘pmtotal’].”,pmunread=”.$row2[‘pmtotal’].” WHERE userid = “.$row[‘userid’].”


“;
 mysql_query(“UPDATE user SET pmtotal=”.$row1[‘pmtotal’].”,pmunread=”.$row2[‘pmtotal’].” WHERE userid = “.$row[‘userid’]);

 

Advertisements

发表评论

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / 更改 )

Twitter picture

You are commenting using your Twitter account. Log Out / 更改 )

Facebook photo

You are commenting using your Facebook account. Log Out / 更改 )

Google+ photo

You are commenting using your Google+ account. Log Out / 更改 )

Connecting to %s


%d 博主赞过: