/core/lib/core/Db.class.php内的 parse_value函数还是老样子,只是把lib/ctrlr/Member/ArchiveCtrlr.class.php里的过滤了。

在用户注入处

public function register_do() { /* check member register switch */ if(!$this->_o_m['register']) { $this->error(L('MEMBER_REGISTER_IS_OFF'), __APP__); } check_interaction('register'); ............ $data = ARequest::get(); //这样post的就全部进来了。 ........... $data['member_model_id'] = intval(ARequest::get('member_model_id')); $data['m_userid'] = strtolower(ARequest::get('m_userid')); $data['m_username'] = ARequest::get('m_username'); $data['m_email'] = strtolower(ARequest::get('m_email')); $data['m_password'] = md5($data['m_userid'] . md5(ARequest::get('m_password'))); $data['m_points'] = 0; $data['m_reg_time'] = time(); $data['m_reg_ip'] = AServer::get_ip(); $data['m_login_time'] = $data['m_reg_time']; $data['m_login_ip'] = $data['m_reg_ip']; $data['member_level_id'] = $_MMI['mm_default_level']; //这些字段预定义了。 ......... $result = M('Member')->add_member($data);


我们注册用户,

post数据添加一个 未定义的字段,例如member_id
 

1.png



数据出来了。



全局搜索一下 ARequest::get()

D:/wamp/www/lib/ctrlr/Member/CustomModelCtrlr.class.php

public function add_content_do() { check_interaction(); $data = array(); $data['custom_model_id'] = intval(ARequest::get('custom_model_id')); $_CMI = M('CustomModel')->get_modelInfo($data['custom_model_id']); if(empty($_CMI) or !$_CMI['cm_status']) { $this->error(L('MODEL_IS_NOT_ACTIVE'), Url::U('member/index')); } ............. $data = array_merge(ARequest::get(), $data); //又进来了。 /* delete external links */ if(isset($data['delete_external_links']) and !empty($data['delete_external_links'])) { foreach($data['delete_external_links'] as $field) { if(MAGIC_QUOTES_GPC) { $data[$field] = stripslashes($data[$field]); } $data[$field] = str_replace(__HOST__, '#basehost#', $data[$field]); $data[$field] = preg_replace("/(<a[ \t\r\n]{1,}href=[\"']{0,}http:\/\/[^\/]([^>]*)>)|(<\/a>)/isU", '', $data[$field]); $data[$field] = str_replace('#basehost#', __HOST__, $data[$field]); if(MAGIC_QUOTES_GPC) { $data[$field] = addslashes($data[$field]); } } } /* insert into model table */ $result = M('CustomModel')->add_content($data);


一次性全补了吧-。-

 

1.png