esp cms injection 0day-vulnerability warning-the black bar safety net

In urldecode the role of the non-filtered result in injection form interface/search.php ---- intaglist ---- $tagkey（ Urldecdoe after processing directly into SQL statement, the injection formedcode omitted Test: http://localhost/espcms/index.php?ac=search&at=taglist&tagkey=dd%2 5 2 7,%2527dd%2 5 ...