<p>在search.php文件中:</p><pre class="lang-php" data-lang="php"><code style="margin: 0px; font-family: 'Lucida Console', 'Courier New', Courier, mono, monospace; color: rgb(51, 51, 51); background-color: rgb(248, 248, 248);">$module=intval($module);<br style="margin: 0px; padding: 0px;"> if($class1)$module=0;<br style="margin: 0px; padding: 0px;"> if(intval($module)){<br style="margin: 0px; padding: 0px;"> $serch_sql.=" where lang='$lang' and (recycle='0' or recycle='-1') and displaytype='1' ";<br style="margin: 0px; padding: 0px;"> }else{<br style="margin: 0px; padding: 0px;"> $class1_info=$class_list[$class1];<br style="margin: 0px; padding: 0px;"> if(!$class1_info)okinfo('../',$pagelang[noid]);<br style="margin: 0px; padding: 0px;"> $class1sql=" class1='$class1' ";<br style="margin: 0px; padding: 0px;"> $class2sql=" class2='$class2' ";<br style="margin: 0px; padding: 0px;"> $class3sql=" class3='$class3' ";<br style="margin: 0px; padding: 0px;"> <br style="margin: 0px; padding:...
<p>在search.php文件中:</p><pre class="lang-php" data-lang="php"><code style="margin: 0px; font-family: 'Lucida Console', 'Courier New', Courier, mono, monospace; color: rgb(51, 51, 51); background-color: rgb(248, 248, 248);">$module=intval($module);<br style="margin: 0px; padding: 0px;"> if($class1)$module=0;<br style="margin: 0px; padding: 0px;"> if(intval($module)){<br style="margin: 0px; padding: 0px;"> $serch_sql.=" where lang='$lang' and (recycle='0' or recycle='-1') and displaytype='1' ";<br style="margin: 0px; padding: 0px;"> }else{<br style="margin: 0px; padding: 0px;"> $class1_info=$class_list[$class1];<br style="margin: 0px; padding: 0px;"> if(!$class1_info)okinfo('../',$pagelang[noid]);<br style="margin: 0px; padding: 0px;"> $class1sql=" class1='$class1' ";<br style="margin: 0px; padding: 0px;"> $class2sql=" class2='$class2' ";<br style="margin: 0px; padding: 0px;"> $class3sql=" class3='$class3' ";<br style="margin: 0px; padding: 0px;"> <br style="margin: 0px; padding: 0px;"> if($class1&&!$class2&&!$class3){<br style="margin: 0px; padding: 0px;"> foreach($module_list2[$class_list[$class1]['module']] as $key=>$val){<br style="margin: 0px; padding: 0px;"> if($val['releclass']==$class1){<br style="margin: 0px; padding: 0px;"> $class1re.=" or class1='$val[id]' ";<br style="margin: 0px; padding: 0px;"> }<br style="margin: 0px; padding: 0px;"> }<br style="margin: 0px; padding: 0px;"> if($class1re){<br style="margin: 0px; padding: 0px;"> $class1sql='('.$class1sql.$class1re.')';<br style="margin: 0px; padding: 0px;"> }<br style="margin: 0px; padding: 0px;"> }<br style="margin: 0px; padding: 0px;"> if($class_list[$class2]['releclass']){<br style="margin: 0px; padding: 0px;"> $class1sql=" class1='$class2' ";<br style="margin: 0px; padding: 0px;"> $class2sql=" class2='$class3' ";<br style="margin: 0px; padding: 0px;"> $class3sql="";<br style="margin: 0px; padding: 0px;"> }<br style="margin: 0px; padding: 0px;"> $serch_sql=" where lang='$lang' and (recycle='0' or recycle='-1') and displaytype='1' and $class1sql ";</code></pre><p></p><p>由于$class1re 没有进行初始化,所以全局只需要越过</p><pre class="lang-php" data-lang="php"><code style="margin: 0px; font-family: 'Lucida Console', 'Courier New', Courier, mono, monospace; color: rgb(51, 51, 51); background-color: rgb(248, 248, 248);">foreach($module_list2[$class_list[$class1]['module']] as $key=>$val){<br style="margin: 0px; padding: 0px;"> if($val['releclass']==$class1){<br style="margin: 0px; padding: 0px;"> $class1re.=" or class1='$val[id]' ";<br style="margin: 0px; padding: 0px;"> }<br style="margin: 0px; padding: 0px;"> }</code></pre><p>这一条逻辑即可:<br>发送url:<br><a href="http://localhost/MetInfo5.3/search/search.php?class1=2&class2=&class3=&searchtype=1&searchword=1&lang=cn&class1re=xxxxxx" rel="nofollow">http://localhost/MetInfo5.3/search/search.php?class1=2&class2=&class3=&searchtype=1&searchword=1&lang=cn&class1re=xxxxxx</a><br>抓取sql语句为:<br>SELECT COUNT(*) FROM met_news where lang='cn' and (recycle='0' or recycle='-1') and displaytype='1' and ( class1='2' xxxxxx) and title like '%1%'</p>
