5w五维网址导航 v8.0 两个小洞

以下是引用片段：

if($site != '' && $site != 'www'){ 
                $controller = $site; 
                if($uri != '' && $uri != '/'){ 
                        // list
                        if(preg_match('/^\/([0-9a-z]+)\-(\d+)\-(\d+)\.htm.*$/', $uri, $matches)){  //01ads54-8656-4545.html
                                header("location:[url]http://www.5w.com/404.html[/url]");
                                $action = $matches[1];
                                $params['cid'] = $matches[2];
                                $params['page'] = $matches[3];
                        }
                        // detail
                        if(preg_match('/^\/(\w+)\.htm.*$/', $uri, $matches)){
                                $action = 'detail';
                                $params['id'] = $matches[1];
                        }
                }
        }
//}

$controller = isset($_GET['c']) ? $_GET['c'] : (isset($controller) ? $controller : 'index');  
$action     = isset($_GET['a']) ? $_GET['a'] : (isset($action) ? $action : 'index');
$params['cid'] = isset($_GET['cid']) ? $_GET['cid']:'';

$params['controller'] = $controller; 
$params['action']     = $action;  

require_once CONTROLLER_PATH . 'tuan/abstractController.php';

$classname  = $controller.'Controller';
$actionName = $action.'Action'; 

$filePath   = CONTROLLER_PATH . 'tuan/'. $classname.'.php';  // controllers/tun/
if (file_exists($filePath)){ 
        include_once $filePath;     //如果文件存在.包含

以下是引用片段：

 $getIP = GetIP();
                        $domain = $userName;
        $sql = "INSERT INTO `".DBPREFIX."members` (`userID`, `userMail`, `userName`, `userPwd`, `userLoginTimes`, `userLastIP`, `userStatus`, `userLastDate`, `userRegDate`, `userRegIP`, `from`, `domain`) VALUES (NULL, '".$userMail."', '".$userName."', '".md5($userPwd)."', '1', '".$getIP."', '1', '".time()."', '".time()."', '".$getIP."', '5w', '".$domain."');";
        //                echo $sql;exit;
                $this->objC -> RunQuery($sql);
                if($this->objC -> GetAffectedRows() <= 0){
                        AlertMsg('对不起，注册失败，请稍候再试！',"-1");
                        exit();

if (isset($_SERVER)){
 388          if (isset($_SERVER["HTTP_X_FORWARDED_FOR"])){
 389              $realip = $_SERVER["HTTP_X_FORWARDED_FOR"];
 390          } else if (isset($_SERVER["HTTP_CLIENT_IP"])) {
 391              $realip = $_SERVER["HTTP_CLIENT_IP"];
 392          } else {
 393              $realip = $_SERVER["REMOTE_ADDR"];
 394          }
 395      } else {
 396          if (getenv("HTTP_X_FORWARDED_FOR")){
 397              $realip = getenv("HTTP_X_FORWARDED_FOR");
 398          } else if (getenv("HTTP_CLIENT_IP")) {
 399              $realip = getenv("HTTP_CLIENT_IP");
 400          } else {
 401              $realip = getenv("REMOTE_ADDR");
 402          }
 403      }
  
     return $realip;

很鸡叻的