[KVE-2019-0008, 0014, 0029] 영카트 XSS 및 SQL Injection 취약점 수정

2019-02-14 09:26:42 +09:00
parent b6d9260f3a
commit d81b56c0ec
5 changed files with 18 additions and 18 deletions
--- a/adm/shop_admin/itemlistupdate.php
+++ b/adm/shop_admin/itemlistupdate.php
@ -24,20 +24,20 @@ if ($_POST['act_button'] == "선택수정") {
        }

        $sql = "update {$g5['g5_shop_item_table']}
-                   set ca_id          = '{$_POST['ca_id'][$k]}',
-                       ca_id2         = '{$_POST['ca_id2'][$k]}',
-                       ca_id3         = '{$_POST['ca_id3'][$k]}',
-                       it_name        = '{$_POST['it_name'][$k]}',
-                       it_cust_price  = '{$_POST['it_cust_price'][$k]}',
-                       it_price       = '{$_POST['it_price'][$k]}',
-                       it_stock_qty   = '{$_POST['it_stock_qty'][$k]}',
-                       it_skin        = '{$_POST['it_skin'][$k]}',
-                       it_mobile_skin = '{$_POST['it_mobile_skin'][$k]}',
-                       it_use         = '{$_POST['it_use'][$k]}',
-                       it_soldout     = '{$_POST['it_soldout'][$k]}',
-                       it_order       = '{$_POST['it_order'][$k]}',
+                   set ca_id          = '".sql_real_escape_string($_POST['ca_id'][$k])."',
+                       ca_id2         = '".sql_real_escape_string($_POST['ca_id2'][$k])."',
+                       ca_id3         = '".sql_real_escape_string($_POST['ca_id3'][$k])."',
+                       it_name        = '".sql_real_escape_string($_POST['it_name'][$k])."',
+                       it_cust_price  = '".sql_real_escape_string($_POST['it_cust_price'][$k])."',
+                       it_price       = '".sql_real_escape_string($_POST['it_price'][$k])."',
+                       it_stock_qty   = '".sql_real_escape_string($_POST['it_stock_qty'][$k])."',
+                       it_skin        = '".sql_real_escape_string($_POST['it_skin'][$k])."',
+                       it_mobile_skin = '".sql_real_escape_string($_POST['it_mobile_skin'][$k])."',
+                       it_use         = '".sql_real_escape_string($_POST['it_use'][$k])."',
+                       it_soldout     = '".sql_real_escape_string($_POST['it_soldout'][$k])."',
+                       it_order       = '".sql_real_escape_string($_POST['it_order'][$k])."',
                       it_update_time = '".G5_TIME_YMDHIS."'
-                 where it_id   = '{$_POST['it_id'][$k]}' ";
+                 where it_id   = '".preg_replace('/[^a-z0-9_\-]/i', '', $_POST['it_id'][$k])."' ";
        sql_query($sql);
    }
 } else if ($_POST['act_button'] == "선택삭제") {
@ -55,7 +55,7 @@ if ($_POST['act_button'] == "선택수정") {
        $k = $_POST['chk'][$i];

        // include 전에 $it_id 값을 반드시 넘겨야 함
-        $it_id = $_POST['it_id'][$k];
+        $it_id = preg_replace('/[^a-z0-9_\-]/i', '', $_POST['it_id'][$k]);
        include ('./itemdelete.inc.php');
    }
 }