취약점 보안 및 코드 개선

adm/boardgroup_list_update.php

@@ -18,16 +18,16 @@
 for ($i=0; $i<$count; $i++)
 {
     $k     = $_POST['chk'][$i];
-    $gr_id = $_POST['group_id'][$k];
-    $gr_subject = strip_tags($_POST['gr_subject'][$k]);
+    $gr_id = preg_replace('/[^a-z0-9_]/i', '', $_POST['group_id'][$k]);
+    $gr_subject = sql_real_escape_string(strip_tags($_POST['gr_subject'][$k]));
 
     if($_POST['act_button'] == '선택수정') {
         $sql = " update {$g5['group_table']}
                     set gr_subject    = '{$gr_subject}',
-                        gr_device     = '{$_POST['gr_device'][$k]}',
-                        gr_admin      = '{$_POST['gr_admin'][$k]}',
-                        gr_use_access = '{$_POST['gr_use_access'][$k]}',
-                        gr_order      = '{$_POST['gr_order'][$k]}'
+                        gr_device     = '".sql_real_escape_string($_POST['gr_device'][$k])."',
+                        gr_admin      = '".sql_real_escape_string($_POST['gr_admin'][$k])."',
+                        gr_use_access = '".sql_real_escape_string($_POST['gr_use_access'][$k])."',
+                        gr_order      = '".sql_real_escape_string($_POST['gr_order'][$k])."'
                   where gr_id         = '{$gr_id}' ";
         if ($is_admin != 'super')
             $sql .= " and gr_admin    = '{$_POST['gr_admin'][$k]}' ";

adm/boardgroupmember_update.php

@@ -48,7 +48,7 @@
     check_admin_token();
 
     for($i=0; $i<$count; $i++) {
-        $gm_id = $_POST['chk'][$i];
+        $gm_id = (int) $_POST['chk'][$i];
         $sql = " select * from {$g5['group_member_table']} where gm_id = '$gm_id' ";
         $gm = sql_fetch($sql);
         if (!$gm['gm_id']) {

adm/member_form_update.php

@@ -33,9 +33,14 @@
 $mb_zip1 = substr($_POST['mb_zip'], 0, 3);
 $mb_zip2 = substr($_POST['mb_zip'], 3);
 
+$mb_email = isset($_POST['mb_email']) ? get_email_address(trim($_POST['mb_email'])) : '';
+$mb_nick = isset($_POST['mb_nick']) ? trim(strip_tags($_POST['mb_nick'])) : '';
+
+if ($msg = valid_mb_nick($mb_nick))     alert($msg, "", true, true);
+
 $sql_common = "  mb_name = '{$_POST['mb_name']}',
-                 mb_nick = '{$_POST['mb_nick']}',
-                 mb_email = '{$_POST['mb_email']}',
+                 mb_nick = '{$mb_nick}',
+                 mb_email = '{$mb_email}',
                  mb_homepage = '{$_POST['mb_homepage']}',
                  mb_tel = '{$_POST['mb_tel']}',
                  mb_hp = '{$mb_hp}',
@@ -74,13 +79,13 @@
         alert('이미 존재하는 회원아이디입니다.\\nＩＤ : '.$mb['mb_id'].'\\n이름 : '.$mb['mb_name'].'\\n닉네임 : '.$mb['mb_nick'].'\\n메일 : '.$mb['mb_email']);
 
     // 닉네임중복체크
-    $sql = " select mb_id, mb_name, mb_nick, mb_email from {$g5['member_table']} where mb_nick = '{$_POST['mb_nick']}' ";
+    $sql = " select mb_id, mb_name, mb_nick, mb_email from {$g5['member_table']} where mb_nick = '{$mb_nick}' ";
     $row = sql_fetch($sql);
     if ($row['mb_id'])
         alert('이미 존재하는 닉네임입니다.\\nＩＤ : '.$row['mb_id'].'\\n이름 : '.$row['mb_name'].'\\n닉네임 : '.$row['mb_nick'].'\\n메일 : '.$row['mb_email']);
 
     // 이메일중복체크
-    $sql = " select mb_id, mb_name, mb_nick, mb_email from {$g5['member_table']} where mb_email = '{$_POST['mb_email']}' ";
+    $sql = " select mb_id, mb_name, mb_nick, mb_email from {$g5['member_table']} where mb_email = '{$mb_email}' ";
     $row = sql_fetch($sql);
     if ($row['mb_id'])
         alert('이미 존재하는 이메일입니다.\\nＩＤ : '.$row['mb_id'].'\\n이름 : '.$row['mb_name'].'\\n닉네임 : '.$row['mb_nick'].'\\n메일 : '.$row['mb_email']);
@@ -104,13 +109,13 @@
         alert($mb['mb_id'].' : 로그인 중인 관리자 레벨은 수정 할 수 없습니다.');
 
     // 닉네임중복체크
-    $sql = " select mb_id, mb_name, mb_nick, mb_email from {$g5['member_table']} where mb_nick = '{$_POST['mb_nick']}' and mb_id <> '$mb_id' ";
+    $sql = " select mb_id, mb_name, mb_nick, mb_email from {$g5['member_table']} where mb_nick = '{$mb_nick}' and mb_id <> '$mb_id' ";
     $row = sql_fetch($sql);
     if ($row['mb_id'])
         alert('이미 존재하는 닉네임입니다.\\nＩＤ : '.$row['mb_id'].'\\n이름 : '.$row['mb_name'].'\\n닉네임 : '.$row['mb_nick'].'\\n메일 : '.$row['mb_email']);
 
     // 이메일중복체크
-    $sql = " select mb_id, mb_name, mb_nick, mb_email from {$g5['member_table']} where mb_email = '{$_POST['mb_email']}' and mb_id <> '$mb_id' ";
+    $sql = " select mb_id, mb_name, mb_nick, mb_email from {$g5['member_table']} where mb_email = '{$mb_email}' and mb_id <> '$mb_id' ";
     $row = sql_fetch($sql);
     if ($row['mb_id'])
         alert('이미 존재하는 이메일입니다.\\nＩＤ : '.$row['mb_id'].'\\n이름 : '.$row['mb_name'].'\\n닉네임 : '.$row['mb_nick'].'\\n메일 : '.$row['mb_email']);

adm/point_list_delete.php

@@ -16,9 +16,11 @@
 {
     // 실제 번호를 넘김
     $k = $_POST['chk'][$i];
+    $po_id = (int) $_POST['po_id'][$k];
+    $str_mb_id = sql_real_escape_string($_POST['mb_id'][$k]);
 
     // 포인트 내역정보
-    $sql = " select * from {$g5['point_table']} where po_id = '{$_POST['po_id'][$k]}' ";
+    $sql = " select * from {$g5['point_table']} where po_id = '{$po_id}' ";
     $row = sql_fetch($sql);
 
     if(!$row['po_id'])
@@ -39,19 +41,19 @@
     }
 
     // 포인트 내역삭제
-    $sql = " delete from {$g5['point_table']} where po_id = '{$_POST['po_id'][$k]}' ";
+    $sql = " delete from {$g5['point_table']} where po_id = '{$po_id}' ";
     sql_query($sql);
 
     // po_mb_point에 반영
     $sql = " update {$g5['point_table']}
                 set po_mb_point = po_mb_point - '{$row['po_point']}'
-                where mb_id = '{$_POST['mb_id'][$k]}'
-                  and po_id > '{$_POST['po_id'][$k]}' ";
+                where mb_id = '{$str_mb_id}'
+                  and po_id > '{$po_id}' ";
     sql_query($sql);
 
     // 포인트 UPDATE
     $sum_point = get_point_sum($_POST['mb_id'][$k]);
-    $sql= " update {$g5['member_table']} set mb_point = '$sum_point' where mb_id = '{$_POST['mb_id'][$k]}' ";
+    $sql= " update {$g5['member_table']} set mb_point = '$sum_point' where mb_id = '{$str_mb_id}' ";
     sql_query($sql);
 }
 

bbs/password_lost2.php

@@ -11,7 +11,7 @@
     alert('자동등록방지 숫자가 틀렸습니다.');
 }
 
-$email = trim($_POST['mb_email']);
+$email = get_email_address(trim($_POST['mb_email']));
 
 if (!$email)
     alert_close('메일주소 오류입니다.');