Dedecms voting module has friends the option to reflect the voting theme is often deleted by SQL injection, after the iOS100 knowledge Base to view the code found that the voting module code did not convert the SQL parameters, resulting in lawless SQL injection. Just speak Addslashes () instead of mysql_real_escape_string ().
Open the/include/dedevote.class.php file and look for $this->dsql->executenonequery (UPDATE ' #@__vote ' SET totalcount= '). ( $this->voteinfos[' TotalCount ']+1). "', votenote= '". Addslashes ($items). "' WHERE aid= ' ". $this->voteid." ");
Amended to
$this->dsql->executenonequery ("UPDATE" #@__vote ' SET totalcount= '). ( $this->voteinfos[' TotalCount ']+1). "', votenote= '". Mysql_real_escape_string ($items). "' WHERE aid= ' ". Mysql_real_escape_string ($this->voteid)." ' ");
Note:
* Addslashes () is forcibly added;
* Mysql_real_escape_string () will judge the character set, but the PHP version is required; (PHP 4 >= 4.0.3, PHP 5)
* Mysql_escape_string does not consider the current character set of the connection. (PHP 4 >= 4.0.3, PHP 5, Note: This method has been deprecated in PHP5.3, not recommended)
Reprint please indicate the source: http://www.ios100.net/open/dedecms/15830.html