From 02310f2319205356af8c43b2ed8c91fa96b4b514 Mon Sep 17 00:00:00 2001 From: chicpro Date: Thu, 2 Jul 2015 14:09:58 +0900 Subject: [PATCH] =?UTF-8?q?XSS=20=EC=B7=A8=EC=95=BD=EC=A0=90=20=EC=88=98?= =?UTF-8?q?=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- bbs/new.php | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/bbs/new.php b/bbs/new.php index f8fc7ecc4..bbf9ccf96 100644 --- a/bbs/new.php +++ b/bbs/new.php @@ -18,7 +18,9 @@ if ($view == "w") else if ($view == "c") $sql_common .= " and a.wr_id <> a.wr_parent "; -$mb_id = isset($_GET['mb_id']) ? strip_tags($_GET['mb_id']) : ""; +$mb_id = isset($_GET['mb_id']) ? ($_GET['mb_id']) : ''; +$mb_id = substr(preg_replace('#[^a-z0-9_]#i', '', $mb_id), 0, 20); + if ($mb_id) { $sql_common .= " and a.mb_id = '{$mb_id}' "; } @@ -28,9 +30,9 @@ $sql = " select count(*) as cnt {$sql_common} "; $row = sql_fetch($sql); $total_count = $row['cnt']; -$rows = $config['cf_new_rows']; +$rows = G5_IS_MOBILE ? $config['cf_mobile_page_rows'] : $config['cf_new_rows']; $total_page = ceil($total_count / $rows); // 전체 페이지 계산 -if (!$page) $page = 1; // 페이지가 없으면 첫 페이지 (1 페이지) +if ($page < 1) $page = 1; // 페이지가 없으면 첫 페이지 (1 페이지) $from_record = ($page - 1) * $rows; // 시작 열을 구함 $group_select = '