$ret_string = str_replace("^", "", $ret_string); $ret_string = str_replace("&", "", $ret_string); $ret_string = str_replace("(", "", $ret_string); $ret_string = str_replace(")", "", $ret_string); $ret_string = str_replace("=", "", $ret_string); $ret_string = str_replace("+", "", $ret_string); $ret_string = str_replace("%00", "", $ret_string); $ret_string = str_replace(";", "", $ret_string); $ret_string = str_replace(":", "", $ret_string); $ret_string = str_replace("|", "", $ret_string); $ret_string = str_replace("<", "", $ret_string); $ret_string = str_replace(">", "", $ret_string); $ret_string = str_replace("~", "", $ret_string); $ret_string = str_replace("`", "", $ret_string); $ret_string = str_replace("%20and%20", "", $ret_string); $ret_string = stripslashes($ret_string); return $ret_string; } function check_sql_inject() { $badchars = array("--", "truncate", "tbl_", "exec", ";", "'", "*", "/", " \\ ", "drop", "select", "update", "delete", "where", "-1", "-2", "-3", "-4", "-5", "-6", "-7", "-8", "-9"); foreach ($_POST as $value) { foreach ($badchars as $bad) { if (strstr(strtolower($value), $bad) != FALSE) { die('Использованы недопустимые символы, <a href="' . $_SERVER['PHP_SELF'] . '">вернитесь назад</a>'); } } } } check_sql_inject(); db_mysql_check_xss();
/** * * @param style 兼职类型 * @param wage 工资 * @param address 地点 * @param isvld 认证 * @param peonum 人数 * @param wt 工作时间长 * @param py 付款方式 * @param time 时间段 */ public function search() { C('URL_MODEL', 0); $this->showMolds(); $this->showAddress(); $this->showRouteNav(); //生成选项的URL $nurl = __SELF__; //取得当前的URL foreach ($this->all_fields as $key => $value) { $the_url = ""; if (strpos($nurl, $key)) { $the_url = preg_replace("/&{$key}=.*?&/", '&', $nurl); //在url中间 if ($nurl == $the_url) { $the_url = preg_replace("/&{$key}=.*\$/", '', $nurl); //在url末尾 } $the_url = preg_replace("/&p=\\d*\$/", '', $the_url); $the_url = preg_replace("/&p=\\d*&/", '&', $the_url); } else { $the_url = $nurl; } //模板赋值 $this->assign("now_url_" . $key, $the_url); } //生成GET请求的数组 //$filter = ""; $arr_get = array(); foreach ($_GET as $key => $value) { //因为thinkphp中$_GET中存在_URL_ if ($key == '_URL_') { continue; } //检测sqlInjection $value = check_sql_inject($value); $arr_get[$key] = $value; } //转换范围为相应字段 $city_str = ''; if ($arr_get['address']) { $Address = M('Address'); $city_str = $Address->field('city')->find($arr_get['address']); } //xm_jobs表中搜索 $Job = M('jobs'); $Job->query("SET sql_mode = 'NO_UNSIGNED_SUBTRACTION'"); $where = "(" . time() . "- expire_time)<0" . " AND " . "is_pass=0" . " AND " . $this->strongWhere($arr_get['style'], "mold_id", "AND") . $this->strongWhere($arr_get['wage'], "money", "AND", '', ":") . $this->strongWhere($city_str['city'], "city", "AND") . $this->strongWhere($arr_get['peonum'], "want_peo", "AND", '', ':') . $this->strongWhere($arr_get['py'], 'pay_way', 'AND') . $this->strongWhere($arr_get['wt'], "work_time", "AND", '', ":") . $this->strongWhere($arr_get['time'], "begin_time", "AND", '', ":") . "1=1"; $field = "xm_jobs.title AS title,\n\t\t\t\t xm_jobs.address AS address,\n\t\t\t\t xm_jobs.jid AS jid,\n\t\t\t\t xm_jobs.want_peo AS want_peo,\n\t\t\t\t xm_jobs.current_peo AS current_peo,\n\t\t\t\t xm_jobs.money,\n\t\t\t\t money_style,\n\t\t\t\t xm_mold.name AS moldname,\n\t\t\t\t xm_jobs.begin_time AS begin_time,\n\t\t\t\t xm_jobs.work_time AS wktime,\n\t\t\t\t xm_jobs.pv AS pv,\n\t\t\t\t addressname"; $join = "INNER JOIN `xm_orgs` ON xm_orgs.oid=xm_jobs.pub_oid" . $this->strongWhere($arr_get['isvld'], 'xm_orgs.is_validate', 'AND', true); $join_mold = "LEFT JOIN `xm_mold` ON xm_mold.mid = xm_jobs.mold_id"; import('ORG.Util.Page'); $count = $Job->where($where)->join($join)->count(); $Page = new Page($count, 15); $show = $Page->show(); $this->assign("page", $show); $arr2 = $Job->field($field)->join($join)->join($join_mold)->limit($Page->firstRow . ',' . $Page->listRows)->where($where)->select(); //dump($Job->getLastSql()); if ($arr2) { $this->assign("job_list", $arr2); } elseif (is_null($arr2)) { $this->assign("error_info", "没有符合要求的结果"); } else { $this->assign("error_info", "检索出错"); } $this->display('index'); }