By:Cond0r

        function tao_check($string){
                if(!is_array($string)) return addslashes(trim($string));
                foreach($string as $k => $v) $string[$k] = tao_check($v);
                return $string;

        if($_REQUEST){
                if(get_magic_quotes_gpc()){
                        $_REQUEST = tao_strip($_REQUEST);
                }else{
                        $_POST = tao_check($_POST);
                        $_GET = tao_check($_GET);
                        @extract($_POST);
                        @extract($_GET);
                }
                $_REQUEST=filter_xss($_REQUEST, ALLOWED_HTMLTAGS);
                @extract($_REQUEST);
       

    只做了简单的简单的过滤

    漏洞文件

    shops.php

$cid = addslashes($_GET['cid']);
$page = !($_GET['page'])?'1':intval($_GET['page']);
$page2=($page-1)*15;
$num1=15;

    $sql="select * from 2taoke_shopcats where cid='$cid'";
        $rs=$db->query($sql);
        while($row=$db->fetch_array($rs)){
        $catname=$row['catname'];
        }

 

        $sql="select * from 2taoke_shops where cid='$cid'";
    $rs=$db->query($sql);
        $num = mysql_num_rows($rs);       
       

        $sql="select * from 2taoke_shops where cid=$cid order by level desc limit $page2,$num1"; //整数型的注入。。
    $rs=$db->query($sql);