From 248cb2b173b08b59aa06be1f4069a30986a53f6c Mon Sep 17 00:00:00 2001 From: thisgun Date: Wed, 14 Feb 2024 19:09:20 +0900 Subject: [PATCH] =?UTF-8?q?=EA=B4=80=EB=A6=AC=EC=9E=90=20=ED=8E=98?= =?UTF-8?q?=EC=9D=B4=EC=A7=80=20=EC=9B=90=EA=B2=A9=20=EB=AA=85=EB=A0=B9=20?= =?UTF-8?q?=EC=8B=A4=ED=96=89=20=EC=B7=A8=EC=95=BD=EC=A0=90=20=EC=88=98?= =?UTF-8?q?=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- adm/board_copy_update.php | 4 +++- adm/shop_admin/configformupdate.php | 6 +++--- adm/shop_admin/itemeventformupdate.php | 4 ++-- mobile/shop/event.php | 2 +- mobile/shop/lg/mispwapurl.php | 2 +- mobile/shop/orderinquiryview.php | 4 +++- shop/event.php | 2 +- 7 files changed, 14 insertions(+), 10 deletions(-) diff --git a/adm/board_copy_update.php b/adm/board_copy_update.php index ef80a0ebc..57ae93edb 100644 --- a/adm/board_copy_update.php +++ b/adm/board_copy_update.php @@ -8,7 +8,7 @@ auth_check_menu($auth, $sub_menu, 'w'); check_admin_token(); -$bo_table = isset($_POST['bo_table']) ? $_POST['bo_table'] : null; +$bo_table = isset($_POST['bo_table']) ? substr(preg_replace('/[^a-z0-9_]/i', '', $_POST['bo_table']), 0, 20) : null; $target_table = isset($_POST['target_table']) ? trim($_POST['target_table']) : ''; $target_subject = isset($_POST['target_subject']) ? trim($_POST['target_subject']) : ''; @@ -24,6 +24,8 @@ if (!preg_match('/[A-Za-z0-9_]{1,20}/', $target_table)) { alert('게시판 TABLE명은 공백없이 영문자, 숫자, _ 만 사용 가능합니다. (20자 이내)'); } +$target_table = substr(preg_replace('/[^a-z0-9_]/i', '', $target_table), 0, 20); + // 게시판명이 금지된 단어로 되어 있으면 if ($w == '' && in_array($target_table, get_bo_table_banned_word())) { alert('입력한 게시판 TABLE명을 사용할수 없습니다. 다른 이름으로 입력해 주세요.'); diff --git a/adm/shop_admin/configformupdate.php b/adm/shop_admin/configformupdate.php index 72359169a..ac122d997 100644 --- a/adm/shop_admin/configformupdate.php +++ b/adm/shop_admin/configformupdate.php @@ -28,8 +28,8 @@ if ($_FILES['mobile_logo_img2']['name']) upload_file($_FILES['mobile_logo_img2'] $de_kcp_mid = isset($_POST['de_kcp_mid']) ? substr($_POST['de_kcp_mid'], 0, 3) : ''; $cf_icode_server_port = isset($cf_icode_server_port) ? preg_replace('/[^0-9]/', '', $cf_icode_server_port) : '7295'; -$de_shop_skin = isset($_POST['de_shop_skin']) ? preg_replace('#\.+(\/|\\\)#', '', $_POST['de_shop_skin']) : 'basic'; -$de_shop_mobile_skin = isset($_POST['de_shop_mobile_skin']) ? preg_replace('#\.+(\/|\\\)#', '', $_POST['de_shop_mobile_skin']) : 'basic'; +$de_shop_skin = isset($_POST['de_shop_skin']) ? preg_replace(array('#\.+(\/|\\\)#', '#[\'\"]#'), array('', ''), $_POST['de_shop_skin']) : 'basic'; +$de_shop_mobile_skin = isset($_POST['de_shop_mobile_skin']) ? preg_replace(array('#\.+(\/|\\\)#', '#[\'\"]#'), array('', ''), $_POST['de_shop_mobile_skin']) : 'basic'; $skins = get_skin_dir('shop'); @@ -59,7 +59,7 @@ $de_shop_mobile_skin = in_array($de_shop_mobile_skin, $mobile_skins) ? $de_shop_ $check_skin_keys = array('de_type1_list_skin', 'de_type2_list_skin', 'de_type3_list_skin', 'de_type4_list_skin', 'de_type5_list_skin', 'de_mobile_type1_list_skin', 'de_mobile_type2_list_skin', 'de_mobile_type3_list_skin', 'de_mobile_type4_list_skin', 'de_mobile_type5_list_skin', 'de_rel_list_skin', 'de_mobile_rel_list_skin', 'de_search_list_skin', 'de_mobile_search_list_skin', 'de_listtype_list_skin', 'de_mobile_listtype_list_skin'); foreach($check_skin_keys as $key){ - $$key = $_POST[$key] = isset($_POST[$key]) ? preg_replace('#\.+(\/|\\\)#', '', strip_tags($_POST[$key])) : ''; + $$key = $_POST[$key] = isset($_POST[$key]) ? preg_replace(array('#\.+(\/|\\\)#', '#[\'\"]#'), array('', ''), strip_tags($_POST[$key])) : ''; if( isset($_POST[$key]) && preg_match('#\.+(\/|\\\)#', $_POST[$key]) ){ alert('스킨설정에 유효하지 문자가 포함되어 있습니다.'); diff --git a/adm/shop_admin/itemeventformupdate.php b/adm/shop_admin/itemeventformupdate.php index 80fad61f9..9b026dc53 100644 --- a/adm/shop_admin/itemeventformupdate.php +++ b/adm/shop_admin/itemeventformupdate.php @@ -41,8 +41,8 @@ if ($ev_mimg_del) @unlink(G5_DATA_PATH."/event/{$ev_id}_m"); if ($ev_himg_del) @unlink(G5_DATA_PATH."/event/{$ev_id}_h"); if ($ev_timg_del) @unlink(G5_DATA_PATH."/event/{$ev_id}_t"); -$ev_skin = preg_replace('#\.+(\/|\\\)#', '', $ev_skin); -$ev_mobile_skin = preg_replace('#\.+(\/|\\\)#', '', $ev_mobile_skin); +$ev_skin = preg_replace(array('#\.+(\/|\\\)#', '#[\'\"]#'), array('', ''), $ev_skin); +$ev_mobile_skin = preg_replace(array('#\.+(\/|\\\)#', '#[\'\"]#'), array('', ''), $ev_mobile_skin); $skin_regex_patten = "^list.[0-9]+\.skin\.php"; diff --git a/mobile/shop/event.php b/mobile/shop/event.php index b27763d19..f481b8b4e 100644 --- a/mobile/shop/event.php +++ b/mobile/shop/event.php @@ -33,7 +33,7 @@ else $order_by = 'b.it_order, b.it_id desc'; if ($skin) { - $skin = preg_replace('#\.+(\/|\\\)#', '', $skin); + $skin = preg_replace(array('#\.+(\/|\\\)#', '#[\'\"]#'), array('', ''), $skin); $ev['ev_skin'] = $skin; } diff --git a/mobile/shop/lg/mispwapurl.php b/mobile/shop/lg/mispwapurl.php index 79e1f1360..da969af4a 100644 --- a/mobile/shop/lg/mispwapurl.php +++ b/mobile/shop/lg/mispwapurl.php @@ -2,7 +2,7 @@ // 해당 페이지는 사용자가 ISP{국민/BC) 카드 결제를 성공하였을 때, 사용자에게 보여지는 페이지입니다. include_once('./_common.php'); -$LGD_OID = clean_xss_tags($_GET['LGD_OID']); +$LGD_OID = clean_xss_tags($_GET['LGD_OID'], 1, 1); echo "LGD_OID = ".$LGD_OID; diff --git a/mobile/shop/orderinquiryview.php b/mobile/shop/orderinquiryview.php index 63c54028a..48fd10495 100644 --- a/mobile/shop/orderinquiryview.php +++ b/mobile/shop/orderinquiryview.php @@ -1,5 +1,7 @@