/core/lib/core/Db.class.php内的 parse_value函数还是老样子,只是把lib/ctrlr/Member/ArchiveCtrlr.class.php里的过滤了。
在用户注入处
public function register_do() {
/* check member register switch */
if(!$this->_o_m['register']) {
$this->error(L('MEMBER_REGISTER_IS_OFF'), __APP__);
}
check_interaction('register');
............
$data = ARequest::get(); //这样post的就全部进来了。
...........
$data['member_model_id'] = intval(ARequest::get('member_model_id'));
$data['m_userid'] = strtolower(ARequest::get('m_userid'));
$data['m_username'] = ARequest::get('m_username');
$data['m_email'] = strtolower(ARequest::get('m_email'));
$data['m_password'] = md5($data['m_userid'] . md5(ARequest::get('m_password')));
$data['m_points'] = 0;
$data['m_reg_time'] = time();
$data['m_reg_ip'] = AServer::get_ip();
$data['m_login_time'] = $data['m_reg_time'];
$data['m_login_ip'] = $data['m_reg_ip'];
$data['member_level_id'] = $_MMI['mm_default_level']; //这些字段预定义了。
.........
$result = M('Member')->add_member($data);
我们注册用户,
post数据添加一个 未定义的字段,例如member_id
数据出来了。
全局搜索一下 ARequest::get()
D:/wamp/www/lib/ctrlr/Member/CustomModelCtrlr.class.php
public function add_content_do() {
check_interaction();
$data = array();
$data['custom_model_id'] = intval(ARequest::get('custom_model_id'));
$_CMI = M('CustomModel')->get_modelInfo($data['custom_model_id']);
if(empty($_CMI) or !$_CMI['cm_status']) {
$this->error(L('MODEL_IS_NOT_ACTIVE'), Url::U('member/index'));
}
.............
$data = array_merge(ARequest::get(), $data); //又进来了。
/* delete external links */
if(isset($data['delete_external_links']) and !empty($data['delete_external_links'])) {
foreach($data['delete_external_links'] as $field) {
if(MAGIC_QUOTES_GPC) {
$data[$field] = stripslashes($data[$field]);
}
$data[$field] = str_replace(__HOST__, '#basehost#', $data[$field]);
$data[$field] = preg_replace("/(<a[ \t\r\n]{1,}href=[\"']{0,}http:\/\/[^\/]([^>]*)>)|(<\/a>)/isU", '', $data[$field]);
$data[$field] = str_replace('#basehost#', __HOST__, $data[$field]);
if(MAGIC_QUOTES_GPC) {
$data[$field] = addslashes($data[$field]);
}
}
}
/* insert into model table */
$result = M('CustomModel')->add_content($data);
一次性全补了吧-。-
解决方案:
过滤