From e9af20874b30fd411b31d9de07931889f51194ac Mon Sep 17 00:00:00 2001
From: thisgun <thisgun@naver.com>
Date: Wed, 11 Jan 2017 17:51:00 +0900
Subject: [PATCH] =?UTF-8?q?Injection=20=EC=B7=A8=EC=95=BD=EC=A0=90(16-1014?=
 =?UTF-8?q?)=20=EC=88=98=EC=A0=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 adm/shop_admin/orderlist.php | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/adm/shop_admin/orderlist.php b/adm/shop_admin/orderlist.php
index 0bedc1e2a..255b08f6f 100644
--- a/adm/shop_admin/orderlist.php
+++ b/adm/shop_admin/orderlist.php
@@ -11,9 +11,12 @@ include_once(G5_PLUGIN_PATH.'/jquery-ui/datepicker.php');
 $where = array();
 
 $doc = strip_tags($doc);
-$sort1 = strip_tags($sort1);
+$sort1 = in_array($sort1, array('od_id', 'od_cart_price', 'od_receipt_price', 'od_cancel_price', 'od_misu', 'od_cash')) ? $sort1 : '';
 $sort2 = in_array($sort2, array('desc', 'asc')) ? $sort2 : 'desc';
 $sel_field = get_search_string($sel_field);
+if( !in_array($sel_field, array('od_id', 'mb_id', 'od_name', 'od_tel', 'od_hp', 'od_b_name', 'od_b_tel', 'od_b_hp', 'od_deposit_name', 'od_invoice')) ){   //검색할 필드 대상이 아니면 값을 제거
+    $sel_field = '';
+}
 $od_status = get_search_string($od_status);
 $search = get_search_string($search);
 if(! preg_match("/^[0-9]{4}-(0[1-9]|1[0-2])-(0[1-9]|[1-2][0-9]|3[0-1])$/", $fr_date) ) $fr_date = '';