在文件include/moderation.inc.php里代码: $threadlist = $loglist = array(); if($tids = implodeids($moderate)) { $query = $db->query("SELECT * FROM {$tablepre}threads WHERE tid IN ($tids) AND fid='$fid' AND displayorder>='0' AND digest>='0' LIMIT $tpp"); while($thread = $db->fetch_array($query)) { ... $threadlist[$thread['tid']] = $thread; ... foreach($threadlist as $tid => $thread) { ... if($type == 'redirect') { $db->query("INSERT INTO {$tablepre}threads (fid, readperm, iconid, author, authorid, subject, dateline, lastpost, lastposter, views, replies, displayorder, digest, closed, special, attachment) VALUES ('$thread[fid]', '$thread[readperm]', '$thread[iconid]', '".addslashes($thread['author'])."', '$thread[authorid]', '".addslashes($thread['subject'])."', '$thread[dateline]', '$thread[dblastpost]', '$thread[lastposter]', '0', '0', '0', '0', '$thread[tid]', '0', '0')"); 这个比较明显,从数据库查询出的值$thread[lastposter]直接带入了insert语句中,导致了注射:)...
在文件include/moderation.inc.php里代码: $threadlist = $loglist = array(); if($tids = implodeids($moderate)) { $query = $db->query("SELECT * FROM {$tablepre}threads WHERE tid IN ($tids) AND fid='$fid' AND displayorder>='0' AND digest>='0' LIMIT $tpp"); while($thread = $db->fetch_array($query)) { ... $threadlist[$thread['tid']] = $thread; ... foreach($threadlist as $tid => $thread) { ... if($type == 'redirect') { $db->query("INSERT INTO {$tablepre}threads (fid, readperm, iconid, author, authorid, subject, dateline, lastpost, lastposter, views, replies, displayorder, digest, closed, special, attachment) VALUES ('$thread[fid]', '$thread[readperm]', '$thread[iconid]', '".addslashes($thread['author'])."', '$thread[authorid]', '".addslashes($thread['subject'])."', '$thread[dateline]', '$thread[dblastpost]', '$thread[lastposter]', '0', '0', '0', '0', '$thread[tid]', '0', '0')"); 这个比较明显,从数据库查询出的值$thread[lastposter]直接带入了insert语句中,导致了注射:) 这个看上去比上面的那个用处大些,其实有很多的限制.首先$thread[lastposter]是从数据库中查询出来的值,有字数限制[不能大于15个字符];其次,这个地方需要版主权限才能操作. 2008-08 <a href=www.Discuz.net target=_blank>www.Discuz.net</a>
