SQL Injection 및 관리자가 게시글 수정때 정보 반영되도록 수정

2014-10-24 11:01:34 +09:00
parent 36e6d53374
commit 50c42776e7
2 changed files with 19 additions and 9 deletions
--- a/bbs/write.php
+++ b/bbs/write.php
@ -294,10 +294,10 @@ $homepage = "";
 if ($w == "" || $w == "r") {
    if ($is_member) {
        if (isset($write['wr_name'])) {
-            $name = get_text(cut_str($write['wr_name'],20));
+            $name = get_text(cut_str(stripslashes($write['wr_name']),20));
        }
-        $email = $member['mb_email'];
-        $homepage = get_text($member['mb_homepage']);
+        $email = get_email_address($member['mb_email']);
+        $homepage = get_text(stripslashes($member['mb_homepage']));
    }
 }

@ -318,9 +318,9 @@ if ($w == '') {
        }
    }

-    $name = get_text(cut_str($write['wr_name'],20));
+    $name = get_text(cut_str(stripslashes($write['wr_name']),20));
    $email = get_email_address($write['wr_email']);
-    $homepage = get_text($write['wr_homepage']);
+    $homepage = get_text(stripslashes($write['wr_homepage']));

    for ($i=1; $i<=G5_LINK_COUNT; $i++) {
        $write['wr_link'.$i] = get_text($write['wr_link'.$i]);
--- a/bbs/write_update.php
+++ b/bbs/write_update.php
@ -412,14 +412,24 @@ if ($w == '' || $w == 'r') {
            $wr_homepage = addslashes(clean_xss_tags($member['mb_homepage']));
        } else {
            $mb_id = $wr['mb_id'];
-            $wr_name = $wr['wr_name'];
-            $wr_email = $wr['wr_email'];
-            $wr_homepage = $wr['wr_homepage'];
+            if(isset($_POST['wr_name']) && $_POST['wr_name'])
+                $wr_name = clean_xss_tags(trim($_POST['wr_name']));
+            else
+                $wr_name = addslashes(clean_xss_tags($wr['wr_name']));
+            if(isset($_POST['wr_email']) && $_POST['wr_email'])
+                $wr_email = get_email_address(trim($_POST['wr_email']));
+            else
+                $wr_email = addslashes($wr['wr_email']);
+            if(isset($_POST['wr_homepage']) && $_POST['wr_homepage'])
+                $wr_homepage = addslashes(clean_xss_tags($_POST['wr_homepage']));
+            else
+                $wr_homepage = addslashes(clean_xss_tags($wr['wr_homepage']));
        }
    } else {
        $mb_id = "";
        // 비회원의 경우 이름이 누락되는 경우가 있음
-        //if (!trim($wr_name)) alert("이름은 필히 입력하셔야 합니다.");
+        if (!trim($wr_name)) alert("이름은 필히 입력하셔야 합니다.");
+        $wr_name = clean_xss_tags(trim($_POST['wr_name']));
        $wr_email = get_email_address(trim($_POST['wr_email']));
    }