PHP代码审计：in_array()函数缺陷与安全风险<\/h1>

1. in_array()函数基础<\/h2>

1.1 函数定义<\/h3>

in_array()<\/code>是PHP中用于检查数组中是否存在某个值的函数，其定义如下：<\/p>

bool<\/span> in_array<\/span> ( mixed<\/span> $needle , array<\/span> $haystack [, bool<\/span> $strict =<\/span> FALSE<\/span> ] )
<\/span><\/span><\/code><\/pre>
$needle<\/code>: 要搜索的值<\/li>
$haystack<\/code>: 要搜索的数组<\/li>
$strict<\/code>: 是否进行严格类型检查（默认为FALSE）<\/li>
<\/ul>
1.2 弱类型比较问题<\/h3>
当$strict<\/code>参数为FALSE（默认值）时，in_array()<\/code>会进行弱类型比较，可能导致意外的类型转换：<\/p>
$array =<\/span> array<\/span>(1<\/span>, 2<\/span>, 3<\/span>, 4<\/span>, 5<\/span>);
<\/span><\/span>var_dump<\/span>(in_array<\/span>('2abc'<\/span>, $array));  \/\/ 返回true，因为'2abc'被强制转换为数字2
<\/span><\/span><\/span><\/code><\/pre>2. 安全漏洞实例分析<\/h2>
2.1 文件上传绕过案例<\/h3>
原始代码片段：<\/p>
$whitelist =<\/span> range<\/span>(1<\/span>, 24<\/span>);
<\/span><\/span>if<\/span> (!<\/span>in_array<\/span>($_POST['file_id'<\/span>], $whitelist)) {
<\/span><\/span>    die<\/span>('Invalid file ID'<\/span>);
<\/span><\/span>}
<\/span><\/span>\/\/ 允许上传文件
<\/span><\/span><\/span><\/code><\/pre>漏洞利用<\/strong>：

攻击者可提交7shell.php<\/code>作为文件ID：<\/p>

in_array()<\/code>将'7shell.php'<\/code>强制转换为数字7<\/li>
数字7在1-24范围内<\/li>
绕过安全检查，实现任意文件上传<\/li>
<\/ol>
2.2 SQL注入案例（Piwigo 2.7.1）<\/h3>
漏洞位于include\/functions_rate.inc.php<\/code>：<\/p>
function<\/span> rate_picture<\/span>($image_id, $rate) {
<\/span><\/span>    global<\/span> $conf;
<\/span><\/span>    
<\/span><\/span>    \/\/ 不安全的使用in_array
<\/span><\/span><\/span><\/span>    if<\/span> (!<\/span>in_array<\/span>($rate, $conf['rate_items'<\/span>])) {
<\/span><\/span>        die<\/span>('Invalid rating value'<\/span>);
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    \/\/ 直接拼接$rate到SQL语句
<\/span><\/span><\/span><\/span>    $query =<\/span> 'INSERT INTO piwigo_rate (user_id, element_id, rate) VALUES ('<\/span>.<\/span>$user_id.<\/span>', '<\/span>.<\/span>$image_id.<\/span>', '<\/span>.<\/span>$rate.<\/span>')'<\/span>;
<\/span><\/span>    \/\/ 执行SQL...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>$conf['rate_items']<\/code>定义为array(0,1,2,3,4,5)<\/code><\/p>
漏洞利用<\/strong>：

提交rate=1,1 and if(ascii(substr((select database()),1,1))=112,1,sleep(3)))#<\/code><\/p>
生成的SQL语句：<\/p>
INSERT<\/span> INTO<\/span> piwigo_rate (user_id, element_id, rate) 
<\/span><\/span>VALUES<\/span> (2<\/span>, 1<\/span>, 1<\/span>,1<\/span> and<\/span> if<\/span>(ascii(substr((select<\/span> database<\/span>()),1<\/span>,1<\/span>))=<\/span>112<\/span>,1<\/span>,sleep(3<\/span>)))#<\/span>)
<\/span><\/span><\/code><\/pre>3. CTF题目分析<\/h2>
3.1 题目代码<\/h3>
\/\/ 获取用户数量并生成白名单
<\/span><\/span><\/span><\/span>$sql =<\/span> "SELECT COUNT(*) FROM users"<\/span>;
<\/span><\/span>$result =<\/span> $conn-><\/span>query<\/span>($sql);
<\/span><\/span>if<\/span> ($result-><\/span>num_rows<\/span> ><\/span> 0<\/span>) {
<\/span><\/span>    $row =<\/span> $result-><\/span>fetch_assoc<\/span>();
<\/span><\/span>    $whitelist =<\/span> range<\/span>(1<\/span>, $row['COUNT(*)'<\/span>]);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 获取用户输入
<\/span><\/span><\/span><\/span>$id =<\/span> stop_hack<\/span>($_GET['id'<\/span>]);
<\/span><\/span>
<\/span><\/span>\/\/ 白名单检查
<\/span><\/span><\/span><\/span>if<\/span> (!<\/span>in_array<\/span>($id, $whitelist)) {
<\/span><\/span>    die<\/span>("id <\/span>$id<\/span> is not in whitelist."<\/span>);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 执行SQL查询
<\/span><\/span><\/span><\/span>$sql =<\/span> "SELECT * FROM users WHERE id= <\/span>$id<\/span>"<\/span>;
<\/span><\/span>$result =<\/span> $conn-><\/span>query<\/span>($sql);
<\/span><\/span><\/code><\/pre>3.2 漏洞点<\/h3>

in_array()<\/code>未启用严格模式<\/li>
stop_hack()<\/code>函数过滤不完整<\/li>
SQL语句直接拼接用户输入<\/li>
<\/ol>
3.3 利用方法<\/h3>
假设users表有5条记录，白名单为array(1,2,3,4,5)<\/code><\/p>
Payload示例<\/strong>：<\/p>
?id=1 union select 1,flag,3,4 from flag
<\/code><\/pre>
由于in_array()<\/code>的弱类型比较：<\/p>

'1 union select 1,flag,3,4 from flag'<\/code>被强制转换为数字1<\/li>
数字1在白名单中<\/li>
绕过检查，执行SQL注入<\/li>
<\/ul>
4. 修复建议<\/h2>
4.1 启用严格模式<\/h3>
\/\/ 安全用法
<\/span><\/span><\/span><\/span>if<\/span> (!<\/span>in_array<\/span>($value, $array, true<\/span>)) {
<\/span><\/span>    die<\/span>('Invalid value'<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>4.2 类型强制转换<\/h3>
\/\/ 确保比较的是相同类型
<\/span><\/span><\/span><\/span>$value =<\/span> (int<\/span>)$value;
<\/span><\/span>if<\/span> (!<\/span>in_array<\/span>($value, $array)) {
<\/span><\/span>    die<\/span>('Invalid value'<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>4.3 使用正则表达式验证<\/h3>
if<\/span> (!<\/span>preg_match<\/span>('\/^\d+$\/'<\/span>, $value) ||<\/span> !<\/span>in_array<\/span>($value, $array, true<\/span>)) {
<\/span><\/span>    die<\/span>('Invalid value'<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>4.4 参数化查询<\/h3>
对于SQL注入防护：<\/p>
$stmt =<\/span> $conn-><\/span>prepare<\/span>("SELECT * FROM users WHERE id = ?"<\/span>);
<\/span><\/span>$stmt-><\/span>bind_param<\/span>("i"<\/span>, $id);
<\/span><\/span>$stmt-><\/span>execute<\/span>();
<\/span><\/span><\/code><\/pre>5. 总结<\/h2>

in_array()<\/code>默认的弱类型比较可能导致安全绕过<\/li>
类型转换问题常出现在文件上传、权限检查、输入验证等场景<\/li>
结合SQL注入时危害更大<\/li>
修复关键是启用严格模式或确保类型一致性<\/li>
防御需要多层次：输入验证、参数化查询、输出编码等<\/li>
<\/ol>
6. 扩展思考<\/h2>

PHP中其他存在弱类型比较问题的函数：array_search()<\/code>、==<\/code>比较等<\/li>
类似漏洞在自动化漏洞扫描中可能被忽略<\/li>
开发中应建立安全编码规范，避免此类问题<\/li>
<\/ol>

PHP代码审计：in_array()函数缺陷与安全风险<\/h1>

1. in_array()函数基础<\/h2>

2. 安全漏洞实例分析<\/h2>

3. CTF题目分析<\/h2>

4. 修复建议<\/h2>

6. 扩展思考<\/h2> PHP中其他存在弱类型比较问题的函数：array_search()<\/code>、==<\/code>比较等<\/li> 类似漏洞在自动化漏洞扫描中可能被忽略<\/li> 开发中应建立安全编码规范，避免此类问题<\/li> <\/ol>

6. 扩展思考<\/h2>

PHP中其他存在弱类型比较问题的函数：`array_search()<\/code>、==<\/code>比较等<\/li>`
`类似漏洞在自动化漏洞扫描中可能被忽略<\/li>`
`开发中应建立安全编码规范，避免此类问题<\/li> <\/ol>`