开发者

Can I use elseif with preg_match in PHP?

问答 作者:

So, I'm creating a vulnerability scanner for SQLI that tests individual websites as a sort of free online service.

Anyways, I'm trying to see if when I scan it if it returns text commonly found on vulnerable sites, I'm using preg_match to do this like so:

          if(preg_match("You have an error in your SQL','Division by zero in|supplied argument is not a valid MySQL result resource in|Call to a member function','Microsoft JET Database|ODBC Microsoft Access Driver|Microsoft OLE DB Provider for SQL Server|Unclosed quotation mark|Microsoft OLE DB Provider for Oracle|Incorrect syntax near|SQL query failed", Connect_Host(str_replace("=", "='", $sites[2][$a])))) {
            echo "Its vulnerable";
          } elseif(preg_match("mysql_num_rows()"||"mysql_fetch_array()"||"Error Occured While Processing Request"||"error"in"your"sql"syntax"||"mysql_fetch_row()"||"VBScript Runtime"||"BOF or EOF"||"mysql_fetch_object()"||"Invalid Querystring", Connect_Host(str_replace("=", "='", $sites[2][$a])))) {
            echo "Its vulnerable";
          } else {
            echo "Its not vulnerable";
            flush(); ob_flush();
          }

Anyways, when I run it, I get an error:

Parse error: syntax error, unexpected T_STRING in C:\xampp\htdocs\scanner\index.php on line 78

In this case, the code that the error is on (line 78) is the elseif, this is the entire line 78:

} elseif(preg_match("mysql_num_rows()"||"mysql_fetch_array()"||"Error Occured While Processing Request"||"error"in"your"sql"syntax"||"mysql_fetch_row()"||"VBS开发者_运维知识库cript Runtime"||"BOF or EOF"||"mysql_fetch_object()"||"Invalid Querystring", Connect_Host(str_replace("=", "='", $sites[2][$a])))) {

So, what am I doing wrong?

First off, preg_match(); is a regular expresion, not normal text, so you (probably) need delimiters.

  • The first parameter states what are you searching for
  • The second parameter states where are you searching

So, corrected, your line should be:

} elseif(preg_match("/(mysql_num_rows\(\)|mysql_fetch_array\(\)|Error Occured While Processing Request|error in your sql syntax|mysql_fetch_row\(\)|VBScript Runtime|BOF or EOF|mysql_fetch_object()|Invalid Querystring/i", Connect_Host(str_replace("=", "='", $sites[2][$a]))))) {

use this in line number 78 : 

} elseif(preg_match("/(mysql_num_rows()|mysql_fetch_array()|Error Occured While Processing Request|error in your sql syntax|mysql_fetch_row()|VBScript Runtime|BOF or EOF|mysql_fetch_object()|Invalid Querystring/i", Connect_Host(str_replace("=", "='", $sites[2][$a]))))) {

继续阅读:phppreg-matchsql-injection

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9