TA的每日心情 | 怒 2024-12-14 22:22 |
---|
签到天数: 1631 天 [LV.Master]伴坛终老
|
modules/message/index.php
- public function reply() {
- if(isset($_POST['dosubmit'])) {
- $messageid = intval($_POST['info']['replyid']);
- //判断当前会员,是否可发,短消息.
- $this->message_db->messagecheck($this->_userid);
- //检查此消息是否有权限回复
- $this->check_user($messageid,'to');
-
- $_POST['info']['send_from_id'] = $this->_username;
- $_POST['info']['message_time'] = SYS_TIME;
- $_POST['info']['status'] = '1';
- $_POST['info']['folder'] = 'inbox';
- $_POST['info']['content'] = safe_replace($_POST['info']['content']);
- $_POST['info']['subject'] = safe_replace($_POST['info']['subject']);
- if(empty($_POST['info']['send_to_id'])) {
- showmessage(L('user_noempty'),HTTP_REFERER);
- }
- $messageid = $this->message_db->insert($_POST['info'],true);//目测是直接遍历数据,然后key就是column val就是vaules插入。。如info[6148']
- if(!$messageid) return FALSE;
- showmessage(L('operation_success'),HTTP_REFERER);
-
- } else {
- $show_validator = $show_scroll = $show_header = true;
- include template('message', 'send');
- }
-
- }
复制代码 mysql.class.php
- public function insert($data, $table, $return_insert_id = false, $replace = false) {
- if(!is_array( $data ) || $table == '' || count($data) == 0) {
- return false;
- }
-
- $fielddata = array_keys($data);//不出所料
- $valuedata = array_values($data);
- array_walk($fielddata, array($this, 'add_special_char')); //但是处理过,似乎没啥办法注入,反正我是没想到
- array_walk($valuedata, array($this, 'escape_string'));
-
- $field = implode (',', $fielddata);
- $value = implode (',', $valuedata);
-
- $cmd = $replace ? 'REPLACE INTO' : 'INSERT INTO';
- $sql = $cmd.' `'.$this->config['database'].'`.`'.$table.'`('.$field.') VALUES ('.$value.')';
- $return = $this->execute($sql);
- return $return_insert_id ? $this->insert_id() : $return;
- }
- public function add_special_char(&$value) {
- if('*' == $value || false !== strpos($value, '(') || false !== strpos($value, '.') || false !== strpos ( $value, '`')) {
- //不处理包含* 或者 使用了sql方法。
- } else {
- $value = '`'.trim($value).'`';
- }
- if (preg_match("/\b(select|insert|update|delete)\b/i", $value)) { //正则匹配,然后替换
- $value = preg_replace("/\b(select|insert|update|delete)\b/i", '', $value);
- }
- return $value;
- }
复制代码
提示:
Unknown column '6148\'' in 'field list' |
|