代码审计：xdcms注册用户处SQL注入漏洞分析 |

public function register_save(){ 
  
$username=safe_html($_POST['username']);//获取UserName，这里用safe_html函数进行过滤 
  
$password=$_POST['password']; 
  
$password2=$_POST['password2']; 
  
$fields=$_POST['fields']; 
  
if(empty($username)||empty($password2)||empty($password)){ 
  
showmsg(C('material_not_complete'),'-1'); 
  
} 
  
if(!strlength($username,5)){ 
  
showmsg(C('username').C('str_len_error').'5','-1'); 
  
} 
  
if(!strlength($password,5)){ 
  
showmsg(C('password').C('str_len_error').'5','-1'); 
  
} 
  
if($password!=$password2){ 
  
showmsg(C('password_different'),'-1'); 
  
} 
  
$password=md5(md5($password)); 
  
  
  
$user_num=$this->mysql->num_rows("select * from ".DB_PRE."member where `username`='$username'");//判断会员是否存在，这里的UserName可被绕过过滤，导致注入，这是第一处SQL注入 
  
if($user_num>0){ 
  
showmsg(C('member_exist'),'-1'); 
  
} 
  
$ip=safe_replace(safe_html(getip())); 
  
$this->mysql->db_insert('member',"`username`='".$username."',`password`='".$password."',`creat_time`='".datetime()."',`last_ip`='".$ip."',`is_lock`='0',`logins`='0',`groupid`='1'");//插入主要字段——用户名、密码，这里的UserName同意造成注入，第二处sql注入 
  
$last_id=$this->mysql->insert_id(); 
  
  
  
//插入附属字段 
  
$field_sql=''; 
  
foreach($fields as $k=>$v){ 
  
$f_value=$v; 
  
if(is_array($v)){ 
  
$f_value=implode(',',$v); 
  
} 
  
$field_sql.=",`{$k}`='{$f_value}'";//这里没有过滤，直接进入了下面的update sql语句，导致第三处sql注入 
  
} 
  
$field_sql=substr($field_sql,1); 
  
$field_sql="update ".DB_PRE."member set {$field_sql} where userid={$last_id}"; 
  
$query=$this->mysql->query($field_sql); 
  
  
  
showmsg(C('register_success'),'index.php?m=member&f=register'); 
  
}