WooYun.org

if(!(get_magic_quotes_gpc())) {
	$_GET = saddslashes($_GET);
	$_POST = saddslashes($_POST);
    $_COOKIE = saddslashes($_COOKIE);
}

elseif (!empty($_POST)) { //如果POST不为空
	
	//编辑标题
	if(!empty($_GET['editaid']) && $editaid = intval($_GET['editaid'])) {
		$editsubject = cutstr(trim(shtmlspecialchars($_POST['editsubject'])), 50);
		updatetable('attachments', array('subject'=>$editsubject), array('aid'=>$editaid));
		print <<<END
		<script language="javascript">
		var div = parent.document.getElementById("div_upload_" + $editaid);
		var pf = parent.document.getElementById("phpframe");
		pf.src = "about:blank";
		div.innerHTML = "$editsubject";
		</script>
END;
		exit;
	}
	
	//上传文件
	//上传模式
	$mode = intval(postget('mode')); 
	if($mode>3) exit; //mode 直接让他为空
	$hash = trim(preg_replace("/[^a-z0-9\-\_]/i", '', trim($_POST['hash'])));
	if(strlen($hash) != 16) showresult($blang['unable_to_complete_this_craft']);//这里只判断hash的长度为不为16 没有进一步的验证 那么就让hash为1111111111111111
	
	//个数
	$filecount = 1;
	$query = $_SGLOBAL['db']->query('SELECT COUNT(*) FROM '.tname('attachments').' WHERE hash=\''.$hash.'\'');
	$count = $_SGLOBAL['db']->result($query, 0);
	$allowmax = intval($_POST['uploadallowmax']);
	if($allowmax > 0 && $count + $filecount > $allowmax) showresult($blang['the_number_has_reached_maximum']);
	//类型
	$allowtypearr = getallowtype(trim($_POST['uploadallowtype']));//取得上传的类型
	
	//空间
	$attachsize = 0;
	include_once(S_ROOT.'./function/upload.func.php');
	if(empty($mode)) { //让$mode为空即可
		//本地上传
		//检查
		$filearr = $_FILES['localfile'];//获取files
		if(empty($filearr['size']) || empty($filearr['tmp_name'])) showresult($blang['failure_to_obtain_upload_file_size']);
		$fileext = fileext($filearr['name']);//获取后缀
		if(!empty($allowtypearr)) {
			if(empty($allowtypearr[$fileext])) showresult($blang['upload_not_allow_this_type_of_resources']." ($allowtype_ext)");
			if($filearr['size'] > $allowtypearr[$fileext]['maxsize']) showresult($blang['file_size_exceeded_the_permissible_scope']);
		}
		//缩略图
		if(!empty($_POST['uploadthumb0']) && !empty($_SCONFIG['thumbarray'][$_POST['uploadthumb0']])) {
			$thumbarr = $_SCONFIG['thumbarray'][$_POST['uploadthumb0']];
		} else {
			$thumbarr = array($_POST['thumbwidth'], $_POST['thumbheight']);
		}
		
		//上传
		$newfilearr = savelocalfile($filearr, $thumbarr);
		if(empty($newfilearr['file'])) showresult($blang['uploading_files_failure']);
		//数据库
		if(empty($_POST['uploadsubject0'])) $_POST['uploadsubject0'] = cutstr(filemain($filearr['name']), 50);
//下面就带入到insert当中啦
		$insertsqlarr = array(
			'uid' => $uid,
			'dateline' => $_SGLOBAL['timestamp'],
			'filename' => saddslashes($filearr['name']),//对文件的名字转义
			'subject' => trim(shtmlspecialchars($_POST['uploadsubject0'])),
			'attachtype' => $fileext,//这里没有对文件的后缀转义
			'isimage' => (in_array($fileext, array('jpg','jpeg','gif','png'))?1:0),
			'size' => $filearr['size'],
			'filepath' => $newfilearr['file'],
			'thumbpath' => $newfilearr['thumb'],
			'hash' => $hash
		);
		inserttable('attachments', $insertsqlarr)//insert;

function fileext($filename) {
	return strtolower(trim(substr(strrchr($filename, '.'), 1)));
}