safe_str()人工修复通知 一定要修复
时间:2016-08-01
打开 ./config/functions.php
搜索 safe_str() 及 de_safe_str()
把它们替换成如下:
搜索 safe_str() 及 de_safe_str()
把它们替换成如下:
//PHP过虑禁用字符,入数据库前(PHP代码/函数) function safe_str($str,$replace_script=true,$allow_html=true){ $array=array('-receive.php-','-select-','-insert-','-update-','-delete-','-union-','-into-','-load_file-','-outfile-','-@SQL-','-0x-'); if(!is_array($str)){ foreach($array as $v){ $str=preg_replace("#({$v})#iU","-\${1}-",$str); } //$str=preg_replace("![][xX]([A-Fa-f0-9])!","x \${1}",$str);` $str=str_replace("'",''',$str); $str=str_replace('"','"',$str); $str=str_replace("--",'--',$str); $str=str_replace("\-*",'\-*',$str); $str=str_replace("\\",'\',$str); if($replace_script){ $str = preg_replace("/<script/iUs", "<monxin_script", $str); $str = preg_replace("/script>/iUs", "monxin_script>", $str); } if(!$allow_html){$str=htmlspecialchars($str);} $r=$str; }else{ $r=array(); foreach($str as $key=>$value){ //$key=safe_str($key); $r[$key]=safe_str($value,$replace_script,$allow_html); } } return $r; } //PHP还原禁用字符,出数据库后(PHP代码/函数) function de_safe_str($str){ $array=array('-receive.php-','-select-','-insert-','-update-','-delete-','-union-','-into-','-load_file-','-outfile-','-@SQL-','-0x-'); if(!is_array($str)){ foreach($array as $v){ $str=preg_replace("#-({$v})-#i","\${1}",$str); } //$str=preg_replace("![][xX]([A-Fa-f0-9])!","x \${1}",$str); $str=str_replace("'","'",$str); $str=str_replace('"','"',$str); $str=str_replace('--',"--",$str); $str=str_replace("\-*",'\-*',$str); $str=str_replace('\',"\\",$str); $r=$str; }else{ $r=array(); foreach($str as $key=>$value){ //$key=de_safe_str($key); $r[$key]=de_safe_str($value); } } return $r; }