|
|
我首页模板里面有SQL语句,具体如下:
在生成首页后提示如下错误:
MySQL Query:SELECT * FROM [pre]company c,(selec WHERE status=3 and n.classid=1 and n.username=c.username GROUP BY n.username ORDER BY n.addtime desc LIMIT 0,10
MySQL Error:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE status=3 and n.classid=1 and n.username=c.username GROUP BY n.username ORD' at line 1 MySQL Errno:0
在模板编辑预览的时候是正常的,生成HTML就报错,模板里面的"select *"被替换成“selec”,是不是/include/global.func.php里面的strip_sql函数问题:
function strip_sql($string) {
$search = array("/union/i","/where/i","/0x([a-z0-9]{2,})/i","/select([[:space:]\*\/\-\(])/i","/update([[:space:]\*\/\-\(])/i","/replace([[:space:]\*\/\-\(])/i","/delete([[:space:]\*\/\-\(])/i","/drop([[:space:]\*\/\-\(])/i","/outfile([[:space:]\*\/\-\(])/i","/dumpfile([[:space:]\*\/\-\(])/i","/load_file[[:space:]]*\(/i","/substring[[:space:]]*\(/i","/substr[[:space:]]*\(/i","/left[[:space:]]*\(/i","/concat[[:space:]]*\(/i","/concat_ws[[:space:]]*\(/i","/ascii[[:space:]]*\(/i","/hex[[:space:]]*\(/i","/ord[[:space:]]*\(/i","/char[[:space:]]*\(/i");
$replace = array('union','where','0x\\1','selectt\\1','update\\1','replace\\1','delete\\1','drop\\1','outfile\\1','dumpfile\\1','load_file(','substring(','substr(','left(','concat(','concat_ws(','ascii(','hex(','ord(','char(');
return is_array($string) ? array_map('strip_sql', $string) : preg_replace($search, $replace, $string);
}
|
|
发表于 2014-5-16 08:57:22
楼主
