Brief description: phpwind in the realization of a placeholder for the SQL process, the code quality appears a small black point. Detailed description: In phpwind/lib/utility/querybuilder.class.php _parseStatement function within the
在 /phpwind/actions/ajax/leaveword.php A reference at the Line 7 line 8 $db->update(pwQuery::buildClause("UPDATE :pw_table SET leaveword=" . S::sqlEscape($atc_content) . "$sqladd WHERE pid=:pid AND tid=:tid", array($pw_posts, $pid, $tid)));
Didn't consider the$atc_content may be a placeholder Also did not consider the pid should be a number, taken directly a string Line: 3 1
S::gp(array( 'pid', 'atc_content', 'ifmsg' ), 'P');
But since the PW is replaced by the equal sign, replacing),cannot lead to very seriousSQL injectionvulnerabilities. When submitting pid=asd, atc_content:pid case tips Query Error: UPDATE pw_posts SET leaveword= ' 'asd' ' WHERE pid= 'asd' AND tid="
You may globally forget about the replacement for HTML entity, this can also try ：）
Official has released the patch, please upgrade