modules/message/index.php
public function reply() { if(isset($_POST['dosubmit'])) { $messageid = intval($_POST['info']['replyid']); //判断当前会员,是否可发,短消息. $this->message_db->messagecheck($this->_userid); //检查此消息是否有权限回复 $this->check_user($messageid,'to'); $_POST['info']['send_from_id'] = $this->_username; $_POST['info']['message_time'] = SYS_TIME; $_POST['info']['status'] = '1'; $_POST['info']['folder'] = 'inbox'; $_POST['info']['content'] = safe_replace($_POST['info']['content']); $_POST['info']['subject'] = safe_replace($_POST['info']['subject']); if(empty($_POST['info']['send_to_id'])) { showmessage(L('user_noempty'),HTTP_REFERER); } $messageid = $this->message_db->insert($_POST['info'],true);//目测是直接遍历数据,然后key就是column val就是vaules插入。。如info[6148'] if(!$messageid) return FALSE; showmessage(L('operation_success'),HTTP_REFERER); } else { $show_validator = $show_scroll = $show_header = true; include template('message', 'send'); } }
mysql.class.php
public function insert($data, $table, $return_insert_id = false, $replace = false) { if(!is_array( $data ) || $table == '' || count($data) == 0) { return false; } $fielddata = array_keys($data);//不出所料 $valuedata = array_values($data); array_walk($fielddata, array($this, 'add_special_char')); //但是处理过,似乎没啥办法注入,反正我是没想到 array_walk($valuedata, array($this, 'escape_string')); $field = implode (',', $fielddata); $value = implode (',', $valuedata); $cmd = $replace ? 'REPLACE INTO' : 'INSERT INTO'; $sql = $cmd.' `'.$this->config['database'].'`.`'.$table.'`('.$field.') VALUES ('.$value.')'; $return = $this->execute($sql); return $return_insert_id ? $this->insert_id() : $return; } public function add_special_char(&$value) { if('*' == $value || false !== strpos($value, '(') || false !== strpos($value, '.') || false !== strpos ( $value, '`')) { //不处理包含* 或者 使用了sql方法。 } else { $value = '`'.trim($value).'`'; } if (preg_match("/b(select|insert|update|delete)b/i", $value)) { //正则匹配,然后替换 $value = preg_replace("/b(select|insert|update|delete)b/i", '', $value); } return $value; }
评论 (0)