这个PHP身份验证功能如何破解？

Question

这是我写的一个递归函数,用于确定给定用户是否有权查看页面上的内容.它基本上以下列方式调用:

if(authorize($_SESSION['user']['user_id'], $necessaryClearance)){
    //Output restricted content
} else{
    //Inform user they are not authorized
}

每个用户都有清关级别和清关状态.这允许使用$ clearance作为用户必须匹配或击败的许可级别,用户必须匹配的许可状态或一组状态(用户可以匹配的任何一个)来调用授权功能.通常,$ user_id是从会话数据中提取的($ _SESSION ['user'] ['$ user_id'],每次页面加载时从数据库刷新),并且每页或每个显式设置清除 - 模块基础.

//This function checks if the user is authorized to view the page
//It returns 1 if access is granted and a 0 if access is denied
function authorize($id, $clearance){
 //$clearance == array
    if (is_array($clearance)){
   //if yes Iterate array through Authorize($id, $clearance[])
  foreach($clearance as $userStatus){
   $tally += authorize ($id, $userStatus);

  }
   return $tally;
 //if no check if $clearenance is equal to a string
 }else if (is_string ($clearance)){
  $string = "SELECT status

  FROM users
      WHERE id = '$id'
      LIMIT 1";
  //If result returned.
  if($userData = mysql_fetch_array(Query($string))){
   if($clearance == $userData['status']){
    return 1;
   }else{ 
    return 0;
   }
  } else{
   return 0;
  }
  // if no check if $clearance is equal to a number  
 }else if(is_numeric($clearance)){
  $string = "SELECT level
      FROM users
      WHERE id = '$id'
      LIMIT 1";
  //If result returned
  if($userData = mysql_fetch_array(Query($string))){ 
   // if number is less than or equal to clearance level allow access
   if($userData['level'] <= $clearance){
    return 1;
   }else{ 
    return 0;
   }
  } else{
   return 0;
  }

 }else{
  //if nothing matches the page dies
  die('Authorization has failed.');
 }
}

代码中是否存在明显的安全漏洞？

Answer 1

是.你没有对$id参数进行任何转义!

这意味着您的查询容易受到SQL Injection攻击.