WooYun.org

$db->query_unbuffered("insert into {$tpf}posts set ".$db->sql_array($ins)."");
				$pid = $db->insert_id();
				make_tags($tags,$tag_arr,$pid);		//注入点
				$db->query_unbuffered("update {$tpf}categories set cate_num=cate_num+1 where cate_id='$cate_id'");
				$sysmsg[] = $settings[pd_post_name].'发布成功';

function make_tags($tags,$tag_arr,$file_id){
	global $db,$tpf,$timestamp,$pd_uid;
	if($tags){
		$tags = filter_tag($tags); 
		$tags_str = '';
		for($i=0;$i<count($tag_arr);$i++){
			if($tag_arr[$i]){
				$tags_str .= "'".filter_tag($tag_arr[$i])."',";//filter_tag对tag的值做了处理
				$rs = $db->fetch_one_array("select count(*) as total from {$tpf}post2tag where tag_name='{$tag_arr[$i]}' and pid='{$file_id}'");
				if(!$rs['total']){
					$ins = array(
					'tag_name' => $tag_arr[$i],
					'pid' => $file_id,
					);
					$db->query_unbuffered("insert into {$tpf}post2tag set ".$db->sql_array($ins).";");
				}
				unset($rs);
			}
		}
		$tags_str = (substr($tags_str,-1) ==',') ? substr($tags_str,0,-1) : $tags_str;
		$db->query_unbuffered("update {$tpf}tags set tag_count=tag_count-1 where tag_name in (select tag_name from {$tpf}post2tag where pid='$file_id')");
		//echo "delete from {$tpf}post2tag where pid='$file_id' and tag_name not in ($tags_str)";
		$db->query_unbuffered("delete from {$tpf}post2tag where pid='$file_id' and tag_name not in ($tags_str)"//留下反斜杠注入发生

function filter_tag($str){
	return str_replace(array('"',"'",'/','(',')','*'),'',$str);
}