espcms最新版sql注入漏洞附分析

在enquiry.php中

$ptitle = $this->fun->accept('ptitle', 'P');

		$tsn = $this->fun->accept('tsn', 'P');

		$did = $this->fun->accept('did', 'P');

		if (empty($did) || empty($amount) || empty($ptitle)) {

			$enquirylink = $this->get_link('enquiry', array(), admin_LNG);

			$this->callmessage($this->lng['enquiry_input_err'], $enquirylink, $this->lng['enquiry_into_listbotton']);

		}

		if (!preg_match("/^\w+((-\w+)|(\.\w+))*\@[A-Za-z0-9]+((\.|-)[A-Za-z0-9]+)*\.[A-Za-z0-9]+$/i", $email)) {

			$this->callmessage($this->lng['email_err'], $_SERVER['HTTP_REFERER'], $this->lng['gobackbotton']);

		}

		$enquirysn = date('YmdHis') . rand(100, 9999);

		$db_table = db_prefix . 'enquiry';

		$db_table2 = db_prefix . 'enquiry_info';

		$addtime = time();

		$db_field = 'enquirysn,userid,linkman,sex,country,province,city,district,address,zipcode,tel,fax,mobile,email,content,isclass,addtime,edittime';

		$db_values = "'$enquirysn',$userid,'$linkman',$sex,$country,$province,$city,$district,'$address','$zipcode','$tel','$fax','$mobile','$email','$content',0,$addtime,0";

		$this->db->query('INSERT INTO ' . $db_table . ' (' . $db_field . ') VALUES (' . $db_values . ')');

		$insert_id = $this->db->insert_id();

		$db_values = '';

		$arraycount = count($did) - 1;

		foreach ($did as $key => $value) {

			$value = intval($value);

			$amount[$key] = intval($amount[$key]);



			if ($key == $arraycount) {

				$db_values.= "($insert_id,$value,'$tsn[$key]','$ptitle[$key]',$amount[$key],'')";

			} else {

				$db_values.= "($insert_id,$value,'$tsn[$key]','$ptitle[$key]',$amount[$key],''),";

			}

		}

发表评论