修复一个sql 注入安全漏洞

star7th · Jan 5, 2017 · 8e0989c · 8e0989c
1 parent c07568b
commit 8e0989c
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 4 deletions.
diff --git a/Application/Home/Controller/ItemController.class.php b/Application/Home/Controller/ItemController.class.php
@@ -134,8 +134,7 @@ public function show(){
         $current_page_id = I("page_id/d");
         //判断个性域名
         if ($item_domain) {
-            $item_domain = \SQLite3::escapeString($item_domain) ;
-            $item = D("Item")->where("item_domain = '$item_domain' ")->find();
+            $item = D("Item")->where("item_domain = '%s'",array($item_domain))->find();
             if ($item['item_id']) {
                 $item_id = $item['item_id'] ;
             }

diff --git a/Application/Home/View/Item/add.html b/Application/Home/View/Item/add.html
@@ -31,7 +31,7 @@
 
         <input type="text" class="input-block-level" id="item_name" name="item_name" placeholder="{$Think.Lang.item_name}" autocomplete="off" value="{$item.item_name}" >
         <input type="text" class="input-block-level" id="item_description" name="item_description" placeholder="{$Think.Lang.item_description}" autocomplete="off" value="{$item.item_description}">
-        <input type="text" class="input-block-level"  name="item_domain" placeholder="{$Think.Lang.item_domain}" autocomplete="off" value="{$item.item_domain}" >
+        <input type="text" style="display:none" class="input-block-level"  name="item_domain" placeholder="{$Think.Lang.item_domain}" autocomplete="off" value="{$item.item_domain}" >
         <input style="display:none"><!-- for disable autocomplete on chrome -->
         <input style="display:none"><!-- for disable autocomplete on chrome -->
         <input type="text" onfocus="this.type='password'" id="password" class="input-block-level" name="password" placeholder="{$Think.Lang.visit_password_placeholder}" title="{$Think.Lang.visit_password_placeholder}" autocomplete="off" value="{$item.password}">

diff --git a/composer.json b/composer.json
@@ -5,7 +5,7 @@
     "description": "ShowDoc is a tool greatly applicable for an IT team to share documents online",
     "keywords": ["showdoc","documents","Api"],
     "homepage": "https://github.com/star7th/showdoc",
-    "version":"v1.2.5",
+    "version":"v1.2.6",
     "license": "Apache-2.0",
     "authors": [
         {