From 4fde2372ff61d293bae06774b869deb7715f7f1c Mon Sep 17 00:00:00 2001
From: chicpro <chicpro@gmail.com>
Date: Mon, 10 Nov 2014 10:26:22 +0900
Subject: [PATCH] =?UTF-8?q?=EC=A3=BC=EB=AC=B8=ED=8F=BC=EC=9D=84=20?=
 =?UTF-8?q?=EC=9D=B4=EC=9A=A9=ED=95=9C=20XSS=20=EB=8C=80=EC=9D=91=20?=
 =?UTF-8?q?=EC=BD=94=EB=93=9C=20=EC=B6=94=EA=B0=80?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 mobile/shop/orderformupdate.php | 21 +++++++++++++++++++--
 shop/orderformupdate.php        | 17 +++++++++++++++++
 2 files changed, 36 insertions(+), 2 deletions(-)

diff --git a/mobile/shop/orderformupdate.php b/mobile/shop/orderformupdate.php
index 478b23241..c4334fc0f 100644
--- a/mobile/shop/orderformupdate.php
+++ b/mobile/shop/orderformupdate.php
@@ -413,8 +413,25 @@ if($default['de_tax_flag_use']) {
     $od_free_mny = (int)$_POST['comm_free_mny'];
 }
 
-$od_pg = $default['de_pg_service'];
-$od_email = get_email_address($od_email);
+$od_pg            = $default['de_pg_service'];
+$od_email         = get_email_address($od_email);
+$od_name          = clean_xss_tags($od_name);
+$od_tel           = clean_xss_tags($od_tel);
+$od_hp            = clean_xss_tags($od_hp);
+$od_zip1          = preg_replace('/[^0-9]/', '', $od_zip1);
+$od_zip2          = preg_replace('/[^0-9]/', '', $od_zip2);
+$od_addr1         = clean_xss_tags($od_addr1);
+$od_addr2         = clean_xss_tags($od_addr2);
+$od_addr3         = clean_xss_tags($od_addr3);
+$od_addr_jibeon   = preg_match("/^(N|R)$/", $od_addr_jibeon) ? $od_addr_jibeon : '';
+$od_b_name        = clean_xss_tags($od_b_name);
+$od_b_tel         = clean_xss_tags($od_b_tel);
+$od_b_hp          = clean_xss_tags($od_b_hp);
+$od_b_addr1       = clean_xss_tags($od_b_addr1);
+$od_b_addr2       = clean_xss_tags($od_b_addr2);
+$od_b_addr3       = clean_xss_tags($od_b_addr3);
+$od_b_addr_jibeon = preg_match("/^(N|R)$/", $od_b_addr_jibeon) ? $od_b_addr_jibeon : '';
+$od_memo          = clean_xss_tags($od_memo);
 
 // 주문서에 입력
 $sql = " insert {$g5['g5_shop_order_table']}
diff --git a/shop/orderformupdate.php b/shop/orderformupdate.php
index edffad31b..2188a5f61 100644
--- a/shop/orderformupdate.php
+++ b/shop/orderformupdate.php
@@ -409,6 +409,23 @@ if($default['de_tax_flag_use']) {
 
 $od_pg            = $default['de_pg_service'];
 $od_email         = get_email_address($od_email);
+$od_name          = clean_xss_tags($od_name);
+$od_tel           = clean_xss_tags($od_tel);
+$od_hp            = clean_xss_tags($od_hp);
+$od_zip1          = preg_replace('/[^0-9]/', '', $od_zip1);
+$od_zip2          = preg_replace('/[^0-9]/', '', $od_zip2);
+$od_addr1         = clean_xss_tags($od_addr1);
+$od_addr2         = clean_xss_tags($od_addr2);
+$od_addr3         = clean_xss_tags($od_addr3);
+$od_addr_jibeon   = preg_match("/^(N|R)$/", $od_addr_jibeon) ? $od_addr_jibeon : '';
+$od_b_name        = clean_xss_tags($od_b_name);
+$od_b_tel         = clean_xss_tags($od_b_tel);
+$od_b_hp          = clean_xss_tags($od_b_hp);
+$od_b_addr1       = clean_xss_tags($od_b_addr1);
+$od_b_addr2       = clean_xss_tags($od_b_addr2);
+$od_b_addr3       = clean_xss_tags($od_b_addr3);
+$od_b_addr_jibeon = preg_match("/^(N|R)$/", $od_b_addr_jibeon) ? $od_b_addr_jibeon : '';
+$od_memo          = clean_xss_tags($od_memo);
 
 // 주문서에 입력
 $sql = " insert {$g5['g5_shop_order_table']}