[实验]csrf dvwa

dvwa low 级别测试：

源代码

<?php

if( isset( $_GET[ 'Change' ] ) ) {
    // Get input
    $pass_new  = $_GET[ 'password_new' ];
    $pass_conf = $_GET[ 'password_conf' ];

    // Do the passwords match?
    //两次密码是否一致？
    if( $pass_new == $pass_conf ) {
        // They do!
        //一致的话，条件 ? 结果1 : 结果2。
        //一致的话，查看有没有设置数据库连接的全局变量和其是否为一个对象
        //是的话，用mysqli_real_escape_string（）函数去转义一些字符，如果不是的话输出错误。

        $pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"],  $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
        //
        $pass_new = md5( $pass_new );//对密码进行md5加密

        // Update the database
        //更新数据，失败则输出错误
        $insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';";
        $result = mysqli_query($GLOBALS["___mysqli_ston"],  $insert ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );

        // Feedback for the user
        $html .= "<pre>Password Changed.</pre>";
    }
    else {
        // Issue with passwords matching
        $html .= "<pre>Passwords did not match.</pre>";
    }

    ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}

?>

• $GLOBALS[“___mysqli_ston”] ？？？

$GLOBALS — 引用全局作用域中可用的全部变量

$GLOBALS 这种全局变量用于在 PHP 脚本中的任意位置访问全局变量（从函数或方法中均可）。

PHP 在名为 $GLOBALS[index] 的数组中存储了所有全局变量。变量的名字就是数组的键。

MySQLConverter assumes that this global variable is set to equal your DB connection object; if the converter finds a mysql_connect it will (partially, but with a warning) convert your code into code that includes an assignment of $GLOBALS[“___mysqli_ston”] to the result of the mysqli_connect function something like this:

<