原文地址:h t t p://rices.so/2743-10-26.html
public function explore_action()
{
// 省略........... By.Rices -> Forum: T00ls.Net -> Blog: Rices.so
if ($_GET['category'])
{
if (is_numeric($_GET['category'])) //据说以前这里也可以注射 所以被isnum了..
{
$category_info = $this->model('system')->get_category_info($_GET['category']);
}
/*
省略......
*/
// 注射开始! By.Rices -> Forum: T00ls.Net -> Blog: Rices.so
if (TPL::is_output('block/content_question.tpl.htm', 'home/explore'))
{
if (! $_GET['sort_type'])
{
$_GET['sort_type'] = 'new';
}
if ($_GET['sort_type'] == 'unresponsive')
{
$_GET['answer_count'] = '0';
}
$question_list = $this->model('question')->get_questions_list($_GET['page'], get_setting('contents_per_page'), $_GET['sort_type'], $_GET['topic_id'], $this->user_id, $category_info['id'], $_GET['answer_count'], $_GET['day']);
//$_GET['topic_id']直接带入了 fvck.fvck! By.Rices -> Forum: T00ls.Net -> Blog: Rices.so
TPL::assign('question_list', $question_list);
TPL::assign('question_list_bit', TPL::output('question/ajax/list', false));
// 省略....
public function get_questions_list($page = 1, $pre_page = 10, $sort = 'hot', $topic_id = 0, $uid = null, $category_id = null, $answer_count = null, $day = 30)
{
$uid = intval($uid);
$user_id_list = array();
$user_info_list = array();
$user_list = array();
$question_info_list = array();
$question_list = array();
$limit = calc_page_limit($page, $pre_page);
if ($sort == 'hot')
{
$question_info_list = $this->get_hot_question($category_id, $topic_id, $limit, $day);
//继续带入$topic_id By.Rices -> Forum: T00ls.Net -> Blog: Rices.so
}
//省略...... By.Rices -> Forum: T00ls.Net -> Blog: Rices.so
public function get_hot_question($category_id = 0, $topic_id = null, $limit = '0, 10', $day = 30)
{
$day = intval($day);
if (!$day)
{
$add_time = '0';
}
else if ($day == 1)
{
$add_time = strtotime('-1 day');
}
else
{
$add_time = strtotime('-' . $day . 'day');
}
if ($category_id)
{
$question_all = $this->fetch_all('question', "add_time > " . $add_time . " AND focus_count > 0 AND agree_count > 0 AND answer_count > 0 AND category_id IN(" . implode(',', $this->model('system')->get_category_with_child_ids('question', $category_id)) . ')');
}
else if ($topic_id)// 开始了
{
$topic_ids = array();
if (is_array($topic_id))
{
$topic_ids = $topic_id;
}
else
{
$topic_ids[] = $topic_id;
}
//无任何过滤 又带入了get_question_ids_by_topics_ids函数 By.Rices -> Forum: T00ls.Net -> Blog: Rices.so
if ($question_ids = $this->model('topic')->get_question_ids_by_topics_ids($topic_ids, 10, null, 'question_id DESC'))
{
$question_all = $this->fetch_all('question', "add_time > " . $add_time . " AND question_id IN(" . implode(',', $question_ids) . ')', 'popular_value DESC', $limit);
}
}
else
{
$question_all = $this->fetch_all('question', 'add_time > ' . $add_time, 'popular_value DESC', $limit);
}
return $question_all;
}
function get_question_ids_by_topics_ids($topic_ids, $limit, $where = null, $order = 'update_time DESC')
{
if (!is_array($topic_ids))
{
$topic_id_in = $topic_ids;
}
else
{
$topic_id_in = implode(',', $topic_ids);
}
if ($where)
{
$where = ' AND ' . $where;
}
$_order = explode(' ', $order);
if (!$where AND $_order[0] == 'question_id')
{
$result = $this->query_all("SELECT question_id FROM " . $this->get_table('topic_question') . " WHERE topic_id IN (" . $topic_id_in . ") ORDER BY " . $order, $limit);
// 直接入库执行了, 注射产生~~ By.Rices -> Forum: T00ls.Net -> Blog: Rices.so
}
else
{ //省略....
不知修复了没?
阅读全文
收起全文
