ECSHOP屏蔽SQL提示 防止ECSHOP注入

通常我们说的注入就是利用了 ecshop的sql错误提示显示出了MD5的密码

对网店来说是非常危险的!


要解决这个问题,最好的方法当然就屏蔽ecshop的sql错误,这样,无论如何的注入都束手无策!


直接看代码: 

找到 \includes\cls_mysql.php

function ErrorMsg($message = '', $sql = '') 


{ 


if ($message) 


{ 


echo "<b>ECSHOP info</b>: $message\n\n<br /><br />"; 


//print('<a href="http://faq.comsenz.com/?type=mysql&dberrno=2003&dberror=Can%27t%20connect%20to%20MySQL%20server%20on" target="_blank">http://faq.comsenz.com/</a>'); 


} 


else 


{ 


echo "<b>MySQL server error report:"; 


print_r($this->error_message); 


//echo "<br /><br /><a href='http://faq.comsenz.com/?type=mysql&dberrno=" . $this->error_message[3]['errno'] . "&dberror=" . urlencode($this->error_message[2]['error']) . "' 

target='_blank'>http://faq.comsenz.com/</a>"; 


}

 

修改为:

 

function ErrorMsg($message = '', $sql = '') 


{ 


if ($message) 


{ 


//echo "<b>ECSHOP info</b>: $message\n\n<br /><br />"; 


//print('<a href="http://faq.comsenz.com/?type=mysql&dberrno=2003&dberror=Can%27t%20connect%20to%20MySQL%20server%20on" target="_blank">http://faq.comsenz.com/</a>'); 


} 


else 


{ 


//echo "<b>MySQL server error report:"; 


//print_r($this->error_message); 


//echo "<br /><br /><a href='http://faq.comsenz.com/?type=mysql&dberrno=" . $this->error_message[3]['errno'] . "&dberror=" . urlencode($this->error_message[2]['error']) . "' 

target='_blank'>http://faq.comsenz.com/</a>"; 


} 
 

exit; 


} exit; 


}

 

 

即把所有的错误输出屏蔽 这样很方便的就解决了注入问题。增加网店的安全系数!

 

posted on 2012-10-17 17:12  ECshop商城二次开发博客  阅读(928)  评论(0编辑  收藏  举报

导航