PHP代码审计：in_array函数缺陷与安全风险<\/h1>

1. in_array函数基础<\/h2>

1.1 函数定义<\/h3>
in_array()<\/code>是PHP中用于检查数组中是否存在某个值的函数，其定义如下：<\/p>
bool<\/span> in_array<\/span> ( mixed<\/span> $needle , array<\/span> $haystack [, bool<\/span> $strict =<\/span> FALSE<\/span> ] )
<\/span><\/span><\/code><\/pre>1.2 参数说明<\/h3>

$needle<\/code>: 要搜索的值<\/li>
$haystack<\/code>: 要搜索的数组<\/li>
$strict<\/code>: 可选参数，默认为FALSE，决定是否进行严格类型检查<\/li>
<\/ul>
1.3 工作模式<\/h3>

非严格模式<\/strong>(默认): 会进行松散比较，可能导致类型转换<\/li>
严格模式<\/strong>: 同时比较值和类型，避免意外类型转换<\/li>
<\/ul>
2. 安全漏洞分析<\/h2>
2.1 漏洞原理<\/h3>
当in_array()<\/code>函数在非严格模式下使用时，PHP会进行自动类型转换，可能导致安全绕过：<\/p>
$whitelist =<\/span> range<\/span>(1<\/span>, 24<\/span>);
<\/span><\/span>$filename =<\/span> '7shell.php'<\/span>;
<\/span><\/span>
<\/span><\/span>\/\/ 非严格比较
<\/span><\/span><\/span><\/span>if<\/span> (in_array<\/span>($filename, $whitelist)) {
<\/span><\/span>    \/\/ 这里会被绕过，因为'7shell.php'会被强制转换为数字7
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>2.2 实际案例：Piwigo 2.7.1 SQL注入<\/h3>
在Piwigo 2.7.1中，存在以下漏洞代码：<\/p>
\/\/ include\/functions_rate.inc.php
<\/span><\/span><\/span><\/span>function<\/span> rate_picture<\/span>($image_id, $rate)
<\/span><\/span>{
<\/span><\/span>    global<\/span> $conf;
<\/span><\/span>    
<\/span><\/span>    if<\/span> (!<\/span>in_array<\/span>($rate, $conf['rate_items'<\/span>])) {
<\/span><\/span>        die<\/span>('Invalid rate'<\/span>);
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    \/\/ 直接拼接$rate变量导致SQL注入
<\/span><\/span><\/span><\/span>    $query =<\/span> 'INSERT INTO '<\/span>.<\/span>RATES_TABLE<\/span>.<\/span>' (user_id,anonymous_id,element_id,rate,date)'<\/span>;
<\/span><\/span>    $query.=<\/span> ' VALUES ('<\/span>.<\/span>$_user['id'<\/span>].<\/span>',\''<\/span>.<\/span>$anonymous_id.<\/span>'\','<\/span>.<\/span>$image_id.<\/span>','<\/span>.<\/span>$rate.<\/span>',NOW())'<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>攻击者可构造如下Payload：<\/p>
rate=1,1 and if(ascii(substr((select database()),1,1))=112,1,sleep(3)));#
<\/code><\/pre>
3. 漏洞利用场景<\/h2>
3.1 文件上传绕过<\/h3>
当使用数字白名单验证文件名时：<\/p>
$allowed =<\/span> range<\/span>(1<\/span>, 24<\/span>);
<\/span><\/span>$filename =<\/span> $_FILES['file'<\/span>]['name'<\/span>];
<\/span><\/span>
<\/span><\/span>if<\/span> (in_array<\/span>($filename, $allowed)) {
<\/span><\/span>    \/\/ 允许上传
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>攻击者可上传7shell.php<\/code>绕过检查。<\/p>
3.2 SQL注入<\/h3>
当使用非严格模式验证用户输入并直接拼接SQL时：<\/p>
$rate =<\/span> $_POST['rate'<\/span>];
<\/span><\/span>$allowed =<\/span> array<\/span>(0<\/span>,1<\/span>,2<\/span>,3<\/span>,4<\/span>,5<\/span>);
<\/span><\/span>
<\/span><\/span>if<\/span> (in_array<\/span>($rate, $allowed)) {
<\/span><\/span>    \/\/ 直接拼接导致SQL注入
<\/span><\/span><\/span><\/span>    $sql =<\/span> "UPDATE table SET rate = <\/span>$rate<\/span> WHERE id = 1"<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>4. 修复方案<\/h2>
4.1 启用严格模式<\/h3>
if<\/span> (in_array<\/span>($value, $whitelist, true<\/span>)) {
<\/span><\/span>    \/\/ 严格比较
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>4.2 类型强制转换<\/h3>
$value =<\/span> intval<\/span>($value);
<\/span><\/span>if<\/span> (in_array<\/span>($value, $whitelist)) {
<\/span><\/span>    \/\/ 已确保类型一致
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>4.3 正则表达式验证<\/h3>
if<\/span> (preg_match<\/span>('\/^\d+$\/'<\/span>, $value) &&<\/span> in_array<\/span>($value, $whitelist)) {
<\/span><\/span>    \/\/ 双重验证
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>4.4 白名单设计改进<\/h3>
\/\/ 使用字符串白名单而非数字
<\/span><\/span><\/span><\/span>$allowed =<\/span> array<\/span>('1'<\/span>, '2'<\/span>, '3'<\/span>, '4'<\/span>, '5'<\/span>);
<\/span><\/span>if<\/span> (in_array<\/span>((string<\/span>)$value, $allowed, true<\/span>)) {
<\/span><\/span>    \/\/ 更安全的验证
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>5. CTF题目分析<\/h2>
5.1 题目代码<\/h3>
\/\/ index.php
<\/span><\/span><\/span><\/span>$whitelist =<\/span> range<\/span>(1<\/span>, $row['COUNT(*)'<\/span>]);
<\/span><\/span>$id =<\/span> stop_hack<\/span>($_GET['id'<\/span>]);
<\/span><\/span>
<\/span><\/span>if<\/span> (!<\/span>in_array<\/span>($id, $whitelist)) {
<\/span><\/span>    die<\/span>("id <\/span>$id<\/span> is not in whitelist."<\/span>);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>$sql =<\/span> "SELECT * FROM users WHERE id=<\/span>$id<\/span>"<\/span>;
<\/span><\/span><\/code><\/pre>5.2 过滤函数<\/h3>
function<\/span> stop_hack<\/span>($value){
<\/span><\/span>    $pattern =<\/span> "insert|delete|or|concat|concat_ws|group_concat|join|floor|union|into|load_file|outfile|dumpfile|sub|hex|file_put_contents|fwrite|curl|system|eval"<\/span>;
<\/span><\/span>    $back_list =<\/span> explode<\/span>("|"<\/span>,$pattern);
<\/span><\/span>    foreach<\/span>($back_list as<\/span> $hack){
<\/span><\/span>        if<\/span>(preg_match<\/span>("\/<\/span>$hack<\/span>\/i"<\/span>, $value)) die<\/span>("<\/span>$hack<\/span> detected!"<\/span>);
<\/span><\/span>    }
<\/span><\/span>    return<\/span> $value;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>5.3 解题思路<\/h3>

利用in_array()<\/code>非严格比较绕过白名单检查<\/li>
构造Payload时不使用被过滤的关键字<\/li>
可能的Payload示例：
id=1 AND (SELECT flag FROM flag)
<\/code><\/pre>
<\/li>
<\/ol>
6. 最佳实践总结<\/h2>

始终使用严格模式<\/strong>：in_array($value, $array, true)<\/code><\/li>
输入验证与输出编码<\/strong>：验证所有用户输入，编码所有输出<\/li>
最小权限原则<\/strong>：数据库连接使用最小必要权限<\/li>
参数化查询<\/strong>：使用预处理语句替代SQL拼接<\/li>
深度防御<\/strong>：多层安全措施，不依赖单一防护<\/li>
安全编码培训<\/strong>：提高开发人员安全意识<\/li>
<\/ol>
7. 扩展思考<\/h2>

PHP弱类型系统带来的其他安全问题<\/li>
自动化代码审计工具如何检测此类漏洞<\/li>
在现代化PHP框架中如何避免此类问题<\/li>
其他存在类似问题的PHP函数（如array_search()<\/code>等）<\/li>
<\/ol>
通过深入理解in_array()<\/code>函数的工作原理和安全风险，开发人员可以编写更安全的代码，有效预防此类漏洞的发生。<\/p>