ECShop_V2.7.3_GBK_release1106 注入 0day

2012-12-21 21:42:57 67 6204 2
C0deplay Team    j8g

看代码
/* 修改个人资料的处理 */

elseif ($action == 'act_edit_profile')

{

    include_once(ROOT_PATH . 'includes/lib_transaction.php');



    $birthday = trim($_POST['birthdayYear']) .'-'. trim($_POST['birthdayMonth']) .'-'.

    trim($_POST['birthdayDay']);

    $email = trim($_POST['email']);

    $other['msn'] = $msn = isset($_POST['extend_field1']) ? trim($_POST['extend_field1']) : '';

    $other['qq'] = $qq = isset($_POST['extend_field2']) ? trim($_POST['extend_field2']) : '';

    $other['office_phone'] = $office_phone = isset($_POST['extend_field3']) ? trim($_POST['extend_field3']) : '';

    $other['home_phone'] = $home_phone = isset($_POST['extend_field4']) ? trim($_POST['extend_field4']) : '';

    $other['mobile_phone'] = $mobile_phone = isset($_POST['extend_field5']) ? trim($_POST['extend_field5']) : '';

    $sel_question = empty($_POST['sel_question']) ? '' : $_POST['sel_question'];

    $passwd_answer = isset($_POST['passwd_answer']) ? trim($_POST['passwd_answer']) : '';



    /* 更新用户扩展字段的数据 */

    $sql = 'SELECT id FROM ' . $ecs->table('reg_fields') . ' WHERE type = 0 AND display = 1 ORDER BY dis_order, id';   //读出所有扩展字段的id

    $fields_arr = $db->getAll($sql);



    foreach ($fields_arr AS $val)       //循环更新扩展用户信息

    {

        $extend_field_index = 'extend_field' . $val['id'];

        if(isset($_POST[$extend_field_index]))

        {

            $temp_field_content = strlen($_POST[$extend_field_index]) > 100 ? mb_substr(htmlspecialchars($_POST[$extend_field_index]), 0, 99) : htmlspecialchars($_POST[$extend_field_index]);

            $sql = 'SELECT * FROM ' . $ecs->table('reg_extend_info') . "  WHERE reg_field_id = '$val[id]' AND user_id = '$user_id'";

            if ($db->getOne($sql))      //如果之前没有记录,则插入

            {

                $sql = 'UPDATE ' . $ecs->table('reg_extend_info') . " SET content = '$temp_field_content' WHERE reg_field_id = '$val[id]' AND user_id = '$user_id'";

            }

            else

            {

                $sql = 'INSERT INTO '. $ecs->table('reg_extend_info') . " (`user_id`, `reg_field_id`, `content`) VALUES ('$user_id', '$val[id]', '$temp_field_content')";

            }

            $db->query($sql);

        }

    }



    /* 写入密码提示问题和答案 */

    if (!empty($passwd_answer) && !empty($sel_question))

    {

        $sql = 'UPDATE ' . $ecs->table('users') . " SET `passwd_question`='$sel_question', `passwd_answer`='$passwd_answer'  WHERE `user_id`='" . $_SESSION['user_id'] . "'";

                echo $sql;

        $db->query($sql);

    }
上图





不做过多介绍。大家看热闹就好,别删除我账号呀!
类别 Web安全

关于作者

xiaoxiaoabc68篇文章777篇回复

xiaoxiaoabc
67

评论67次

要评论?请先  登录  或  注册