Phpcms SQL injection vulnerability in code reading in bed

Code reading in bed: phpcms [0x01]
Line 57 in phpcms/modules/formguide/index. php. $ Formguide_input = new formguide_input ($ formid); $ data = $ formguide_input-> get ($ _ POST ['info']); a class, formguide_input, is called here, then the get function processes the info from $ _ POST. Let's take a look at this get function get ($ data, $ isimport = 0) {$ this-> data = $ data; $ info = array (); foreach ($ this-> fields as $ field ){...... If you omit a few rows, $ value = $ data [$ field ['field'] will not die. // The value here uses the value of data, data is $ _ POST ['info']... If ($ maxlength & $ length> $ maxlength) {if ($ isimport) {$ value = str_cut ($ value, $ maxlength ,''); // value uses str_cut to intercept bytes} else {showmessage ($ name. ''. L (not _ more_than '). ''. $ maxlength. L ('characters ') ;}} elseif ($ maxlength) {$ value = str_cut ($ value, $ maxlength, ''); // capture again} omitting ...... Return $ info; str_cut function is a phpcms custom truncation function. The third parameter is to control whether dot is ..., when the value is 123 \ ', if the value is 4, a backslash is taken out. Then, these variables enter 63 rows of insert in phpcms/modules/formguide/index. php. $ Dataid = $ this-> m_db-> insert ($ data, true); causes the SQL injection vulnerability: str_cut code function str_cut ($ string, $ length, $ dot = '... ') {$ strlen = strlen ($ string); if ($ strlen <= $ length) return $ string; $ string = str_replace (array ('',' & nbsp; ',' & amp; ',' & quot; ',' & #039; ',' & ldquo; ',' & rdquo; ',' & mdash ;', '& lt;', '& gt;', '& middot;', '& hellip;'), array ('hour ','','&', '"'," '",', '"', '-', '<', '> ','·','... '), $ String); $ strcut = ''; if (strtolower (CHARSET) = 'utf-8 ') {$ length = intval ($ length-strlen ($ dot)-$ length/3); $ n = $ tn = $ noc = 0; while ($ n <strlen ($ string) {$ t = ord ($ string [$ n]); if ($ t = 9 | $ t = 10 | (32 <= $ t & $ t <= 126) {$ tn = 1; $ n ++; $ noc ++;} elseif (194 <=$ t & $ t <= 223) {$ tn = 2; $ n + = 2; $ noc + = 2;} elseif (224 <= $ t & $ t <= 239) {$ tn = 3; $ n + = 3; $ noc + = 2;} elseif (240 <= $ t && $ T <= 247) {$ tn = 4; $ n + = 4; $ noc + = 2;} elseif (248 <= $ t & $ t <= 251) {$ tn = 5; $ n + = 5; $ noc + = 2;} elseif ($ t = 252 | $ t = 253) {$ tn = 6; $ n + = 6; $ noc + = 2;} else {$ n ++;} if ($ noc >=$ length) {break ;}} if ($ noc> $ length) {$ n-= $ tn;} $ strcut = substr ($ string, 0, $ n ); $ strcut = str_replace (array ('hour', '&', '"'," '",'-',' <', '> ','·','... '), Array ('',' & amp; ',' & quot; ',' & #039; ',' & ldquo; ',' & rdquo ;', '& mdash;', '& lt;', '& gt;', '& middot;', '& hellip;'), $ strcut );} else {$ dotlen = strlen ($ dot); $ maxi = $ length-$ dotlen-1; $ current_str = ''; $ search_arr = array ('&','', '"'," '",', '"', '-', '<', '> ','·','... ', 'Authorization'); $ replace_arr = array (' & amp; ',' & nbsp; ',' & quot; ',' & #039 ;', '& ldquo;', '& rdquo;', '& mdash;', '& lt;', '& gt;', '& middot;', '& hellip; ', ''); $ search_flip = array_flip ($ search_arr); for ($ I = 0; $ I <$ maxi; $ I ++) {$ current_str = ord ($ string [$ I])> 127? $ String [$ I]. $ string [++ $ I]: $ string [$ I]; if (in_array ($ current_str, $ search_arr) {$ key = $ search_flip [$ current_str]; $ current_str = str_replace ($ search_arr [$ key], $ replace_arr [$ key], $ current_str);} $ strcut. = $ current_str;} return $ strcut. $ dot;} I want to prove that this function failed to be tested locally. The table does not exist, but the vulnerability steps are as follows.Solution:

You cannot cancel the dot operation when you enter the database.