he/DzzOffice
1
0
Fork 0
mirror of https://github.com/DzzXH/DzzOffice.git synced 2026-04-22 18:21:39 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

同步官方补丁:修复sql注入隐患

Browse Source 
Signed-off-by: 小胡 <3203164629@qq.com>
This commit is contained in:
小胡
2024-04-15 12:14:27 +00:00
committed by Gitee
Unverified
parent a4073f474c
commit f4e2e791b0
1 changed files with 6 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
core/class/table/table_resources_event.php
View File

@@ -365,12 +365,14 @@ class table_resources_event extends dzz_table
foreach ($condition as $k => $v) {
if (!is_array($v)) {
$connect = 'and';
$wheresql .= $connect . ' e.' . $k . " = '" . $v . "' ";
$wheresql .= $connect . ' e.' . $k . " = %s ";
$params[] = $v;
} else {
$relative = isset($v[1]) ? $v[1] : '=';
$connect = isset($v[2]) ? $v[2] : 'and';
if ($relative == 'in') {
$wheresql .= $connect . " e." . $k . " " . $relative . " (" . $v[0] . ") ";
$wheresql .= $connect . " e." . $k . " in (%n) ";
$params[]=$v[0];
} elseif ($relative == 'nowhere') {
continue;
} elseif ($relative == 'stringsql') {
@@ -379,7 +381,8 @@ class table_resources_event extends dzz_table
$wheresql .= $connect . " e." . $k . " like %s ";
$params[] = '%' . $v[0] . '%';
} else {
$wheresql .= $connect . ' e.' . $k . ' ' . $relative . ' ' . $v[0] . ' ';
$wheresql .= $connect . ' e.' . $k . ' = %s ';
$params[]=$v[0] ;
}
}