비밀 댓글 노출 취약점(16-067) 수정

This commit is contained in:
chicpro
2016-01-27 14:59:49 +09:00
parent 9a870506ab
commit 6b43e67c40
8 changed files with 24 additions and 8 deletions

View File

@ -53,8 +53,10 @@ var char_max = parseInt(<?php echo $comment_max ?>); // 최대
$query_string = clean_query_string($_SERVER['QUERY_STRING']);
if($w == 'cu') {
$sql = " select wr_id, wr_content from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
$sql = " select wr_id, wr_content, mb_id from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
$cmt = sql_fetch($sql);
if (!($is_admin || ($member['mb_id'] == $cmt['mb_id'] && $cmt['mb_id'])))
$cmt['wr_content'] = '';
$c_wr_content = $cmt['wr_content'];
}

View File

@ -53,8 +53,10 @@ var char_max = parseInt(<?php echo $comment_max ?>); // 최대
$query_string = clean_query_string($_SERVER['QUERY_STRING']);
if($w == 'cu') {
$sql = " select wr_id, wr_content from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
$sql = " select wr_id, wr_content, mb_id from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
$cmt = sql_fetch($sql);
if (!($is_admin || ($member['mb_id'] == $cmt['mb_id'] && $cmt['mb_id'])))
$cmt['wr_content'] = '';
$c_wr_content = $cmt['wr_content'];
}

View File

@ -59,8 +59,10 @@ var char_max = parseInt(<?php echo $comment_max ?>); // 최대
$query_string = clean_query_string($_SERVER['QUERY_STRING']);
if($w == 'cu') {
$sql = " select wr_id, wr_content from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
$sql = " select wr_id, wr_content, mb_id from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
$cmt = sql_fetch($sql);
if (!($is_admin || ($member['mb_id'] == $cmt['mb_id'] && $cmt['mb_id'])))
$cmt['wr_content'] = '';
$c_wr_content = $cmt['wr_content'];
}

View File

@ -59,8 +59,10 @@ var char_max = parseInt(<?php echo $comment_max ?>); // 최대
$query_string = clean_query_string($_SERVER['QUERY_STRING']);
if($w == 'cu') {
$sql = " select wr_id, wr_content from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
$sql = " select wr_id, wr_content, mb_id from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
$cmt = sql_fetch($sql);
if (!($is_admin || ($member['mb_id'] == $cmt['mb_id'] && $cmt['mb_id'])))
$cmt['wr_content'] = '';
$c_wr_content = $cmt['wr_content'];
}