From 73bb020487b1698089fae8ce32370c2171240ea9 Mon Sep 17 00:00:00 2001
From: chicpro <chicpro@sir.co.kr>
Date: Tue, 6 Sep 2016 14:46:36 +0900
Subject: [PATCH] =?UTF-8?q?=EC=98=B5=EC=85=98=EC=A0=95=EB=B3=B4=EB=A5=BC?=
 =?UTF-8?q?=20=EC=9D=B4=EC=9A=A9=ED=95=9C=20SQL=20Injection=20=EC=B7=A8?=
 =?UTF-8?q?=EC=95=BD=EC=A0=90(16-682)=20=EC=88=98=EC=A0=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 adm/shop_admin/itemformupdate.php |  4 ++++
 adm/shop_admin/itemoption.php     | 12 ++++++------
 adm/shop_admin/itemsupply.php     |  4 ++--
 shop.config.php                   |  3 +++
 shop/cartupdate.php               |  8 ++++----
 5 files changed, 19 insertions(+), 12 deletions(-)

diff --git a/adm/shop_admin/itemformupdate.php b/adm/shop_admin/itemformupdate.php
index a230ae6dd..67c17f917 100644
--- a/adm/shop_admin/itemformupdate.php
+++ b/adm/shop_admin/itemformupdate.php
@@ -214,6 +214,8 @@ if($option_count) {
     // 옵션명
     $opt1_cnt = $opt2_cnt = $opt3_cnt = 0;
     for($i=0; $i<$option_count; $i++) {
+        $_POST['opt_id'][$i] = preg_replace(G5_OPTION_ID_FILTER, '', $_POST['opt_id'][$i]);
+
         $opt_val = explode(chr(30), $_POST['opt_id'][$i]);
         if($opt_val[0])
             $opt1_cnt++;
@@ -240,6 +242,8 @@ if($supply_count) {
     // 추가옵션명
     $arr_spl = array();
     for($i=0; $i<$supply_count; $i++) {
+        $_POST['spl_id'][$i] = preg_replace(G5_OPTION_ID_FILTER, '', $_POST['spl_id'][$i]);
+
         $spl_val = explode(chr(30), $_POST['spl_id'][$i]);
         if(!in_array($spl_val[0], $arr_spl))
             $arr_spl[] = $spl_val[0];
diff --git a/adm/shop_admin/itemoption.php b/adm/shop_admin/itemoption.php
index 0fec96159..406a5fa08 100644
--- a/adm/shop_admin/itemoption.php
+++ b/adm/shop_admin/itemoption.php
@@ -14,13 +14,13 @@ if($it['it_id']) {
     if(sql_num_rows($result))
         $po_run = true;
 } else if(!empty($_POST)) {
-    $opt1_subject = preg_replace('/[\'\"]/', '', trim(stripslashes($_POST['opt1_subject'])));
-    $opt2_subject = preg_replace('/[\'\"]/', '', trim(stripslashes($_POST['opt2_subject'])));
-    $opt3_subject = preg_replace('/[\'\"]/', '', trim(stripslashes($_POST['opt3_subject'])));
+    $opt1_subject = preg_replace(G5_OPTION_ID_FILTER, '', trim(stripslashes($_POST['opt1_subject'])));
+    $opt2_subject = preg_replace(G5_OPTION_ID_FILTER, '', trim(stripslashes($_POST['opt2_subject'])));
+    $opt3_subject = preg_replace(G5_OPTION_ID_FILTER, '', trim(stripslashes($_POST['opt3_subject'])));
 
-    $opt1_val = preg_replace('/[\'\"]/', '', trim(stripslashes($_POST['opt1'])));
-    $opt2_val = preg_replace('/[\'\"]/', '', trim(stripslashes($_POST['opt2'])));
-    $opt3_val = preg_replace('/[\'\"]/', '', trim(stripslashes($_POST['opt3'])));
+    $opt1_val = preg_replace(G5_OPTION_ID_FILTER, '', trim(stripslashes($_POST['opt1'])));
+    $opt2_val = preg_replace(G5_OPTION_ID_FILTER, '', trim(stripslashes($_POST['opt2'])));
+    $opt3_val = preg_replace(G5_OPTION_ID_FILTER, '', trim(stripslashes($_POST['opt3'])));
 
     if(!$opt1_subject || !$opt1_val) {
         echo '옵션1과 옵션1 항목을 입력해 주십시오.';
diff --git a/adm/shop_admin/itemsupply.php b/adm/shop_admin/itemsupply.php
index 7d6987ff4..c7483cf3f 100644
--- a/adm/shop_admin/itemsupply.php
+++ b/adm/shop_admin/itemsupply.php
@@ -84,8 +84,8 @@ if($ps_run) {
         } // for
     } else {
         for($i=0; $i<$subject_count; $i++) {
-            $spl_subject = preg_replace('/[\'\"]/', '', trim(stripslashes($_POST['subject'][$i])));
-            $spl_val = explode(',', preg_replace('/[\'\"]/', '', trim(stripslashes($_POST['supply'][$i]))));
+            $spl_subject = preg_replace(G5_OPTION_ID_FILTER, '', trim(stripslashes($_POST['subject'][$i])));
+            $spl_val = explode(',', preg_replace(G5_OPTION_ID_FILTER, '', trim(stripslashes($_POST['supply'][$i]))));
             $spl_count = count($spl_val);
 
             for($j=0; $j<$spl_count; $j++) {
diff --git a/shop.config.php b/shop.config.php
index cbaac7fa6..a28e42b20 100644
--- a/shop.config.php
+++ b/shop.config.php
@@ -65,6 +65,9 @@ if(!defined('_THEME_PREVIEW_')) {
     }
 }
 
+// 옵션 ID 특수문자 필터링 패턴
+define('G5_OPTION_ID_FILTER', '/[\'\"\\\'\\\"]/');
+
 /*
 // 주문상태 상수
 define('G5_OD_STATUS_ORDER'     , '입금확인중');
diff --git a/shop/cartupdate.php b/shop/cartupdate.php
index d967f4ce2..e7313def6 100644
--- a/shop/cartupdate.php
+++ b/shop/cartupdate.php
@@ -197,8 +197,8 @@ else // 장바구니에 담기
         // 이미 주문폼에 있는 같은 상품의 수량합계를 구한다.
         if($sw_direct) {
             for($k=0; $k<$opt_count; $k++) {
-                $io_id = $_POST['io_id'][$it_id][$k];
-                $io_type = $_POST['io_type'][$it_id][$k];
+                $io_id = preg_replace(G5_OPTION_ID_FILTER, '', $_POST['io_id'][$it_id][$k]);
+                $io_type = preg_replace('#[^01]#', '', $_POST['io_type'][$it_id][$k]);
                 $io_value = $_POST['io_value'][$it_id][$k];
 
                 $sql = " select SUM(ct_qty) as cnt from {$g5['g5_shop_cart_table']}
@@ -248,8 +248,8 @@ else // 장바구니에 담기
                     VALUES ";
 
         for($k=0; $k<$opt_count; $k++) {
-            $io_id = $_POST['io_id'][$it_id][$k];
-            $io_type = $_POST['io_type'][$it_id][$k];
+            $io_id = preg_replace(G5_OPTION_ID_FILTER, '', $_POST['io_id'][$it_id][$k]);
+            $io_type = preg_replace('#[^01]#', '', $_POST['io_type'][$it_id][$k]);
             $io_value = $_POST['io_value'][$it_id][$k];
 
             // 선택옵션정보가 존재하는데 선택된 옵션이 없으면 건너뜀