From b4604fca6781e8302e240d5f4c6e2ae3f455909a Mon Sep 17 00:00:00 2001 From: thisgun Date: Mon, 9 Sep 2019 12:27:14 +0900 Subject: [PATCH] =?UTF-8?q?[KVE-2019-1318]=20SQL=20Injection=20=EC=B7=A8?= =?UTF-8?q?=EC=95=BD=EC=A0=90=20=EC=88=98=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- adm/sms_admin/history_view.php | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/adm/sms_admin/history_view.php b/adm/sms_admin/history_view.php index 43e144fa4..a62558385 100644 --- a/adm/sms_admin/history_view.php +++ b/adm/sms_admin/history_view.php @@ -12,6 +12,10 @@ if( $st && !in_array($st, array('hs_name', 'hs_hp', 'bk_no')) ){ $st = ''; } +if( $sst && !in_array($sst, array('mb_id', 'bk_no', 'hs_name', 'hs_hp', 'hs_datetime', 'hs_flag', 'hs_code', 'hs_memo', 'hs_log')) ){ + $sst = ''; +} + auth_check($auth[$sub_menu], "r"); $g5['title'] = "문자전송 상세내역"; @@ -22,7 +26,7 @@ if (!is_numeric($wr_no)) if ($spage < 1) $spage = 1; if ($sst && trim($ssv)) - $sql_search = " and $sst like '%$ssv%' "; + $sql_search = " and $sst like '%".sql_real_escape_string($ssv)."%' "; else $sql_search = "";