firstgarden/firstgarden-web-gnu
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Activity

XSS 및 SQL Injection 보안 취약점 수정

Browse Source
This commit is contained in:
chicpro
2014-07-31 17:01:06 +09:00
parent 0742c5f81b
commit 79d7a690f4
8 changed files with 26 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
common.php
View File

@ -20,8 +20,9 @@ $ext_arr = array ('PHP_SELF', '_ENV', '_GET', '_POST', '_FILES', '_SERVER', '_CO
'HTTP_COOKIE_VARS', 'HTTP_SESSION_VARS', 'GLOBALS');
$ext_cnt = count($ext_arr);
for ($i=0; $i<$ext_cnt; $i++) {
// GET 으로 선언된 전역변수가 있다면 unset() 시킴
if (isset($_GET[$ext_arr[$i]])) unset($_GET[$ext_arr[$i]]);
// POST, GET 으로 선언된 전역변수가 있다면 unset() 시킴
if (isset($_GET[$ext_arr[$i]])) unset($_GET[$ext_arr[$i]]);
if (isset($_POST[$ext_arr[$i]])) unset($_POST[$ext_arr[$i]]);
}
//==========================================================================================================================
@ -381,7 +382,7 @@ if ($_SESSION['ss_mb_id']) { // 로그인중이라면
$tmp_mb_id = substr(preg_replace("/[^a-zA-Z0-9_]*/", "", $tmp_mb_id), 0, 20);
// 최고관리자는 자동로그인 금지
if ($tmp_mb_id != $config['cf_admin']) {
if (strtolower($tmp_mb_id) != strtolower($config['cf_admin'])) {
$sql = " select mb_password, mb_intercept_date, mb_leave_date, mb_email_certify from {$g5['member_table']} where mb_id = '{$tmp_mb_id}' ";
$row = sql_fetch($sql);
$key = md5($_SERVER['SERVER_ADDR'] . $_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT'] . $row['mb_password']);