1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
|
<?php
include("./_common.php");
include("../../manage/category/common.php");
$DB_HOST = "localhost";
$DB_USER = "WebHostUser";
$DB_PWD = "WebHost5263";
$DB_NAME = "webhost";
$sqli_dbcon = mysqli_connect($DB_HOST, $DB_USER, $DB_PWD, $DB_NAME);
function filter_SQL($content){
$content = str_replace("&", "&", $content);
$content = str_replace("<", "<", $content);
$content = str_replace(">", ">", $content);
$content = str_replace("'", "&apos", $content);
$content = str_replace("\"", """, $content);
$content = str_replace("\r", "", $content);
$content = str_replace("'", "", $content);
$content = str_replace('"', "", $content);
$content = str_replace("--", "", $content);
$content = str_replace(";", "", $content);
$content = str_replace("%", "", $content);
$content = str_replace("+", "", $content);
$content = str_replace("script", "", $content);
$content = str_replace("alert", "", $content);
$content = str_replace("cookie", "", $content);
$content = SQL_Injection($content);
return $content;
}
function SQL_Injection($get_Str) {
$replace = preg_replace("/(select|union|insert|update|delete|drop|\"|\'|#|\/\*|\*\/|\\\|\;)/i","", $get_Str);
return $replace;
}
foreach($_POST as $key=>$val){
$_POST[$key] = filter_SQL($_POST[$key]);
$_POST[$key] = iconv("utf-8","euc-kr",$val);
}
extract($_POST);
$mode_ok = "Y";
if($mode_ok == "Y") {
// µ¥ÀÌÅÍÆíÁý
// »óÈ£¿¬¶ôó
$hpno = $hpno1."-".$hpno2."-".$hpno3;
// ¿¬¶ôȸ½Å¹æ¹ý
if($return_type == 0) { // ÀüÈ
$return_content = $tel1."-".$tel2."-".$tel3;
} else if($return_type == 1) { // À̸ÞÀÏ
$return_content = $email;
}
// ½Ã°£
$return_time = $return_hour."½Ã";
$return_time2 = $return_hour2."½Ã";
if($return_anytime == 1) {
$return_time_type = 2;
}
if($return_date == "") { $return_date = ""; }
if($return_time_type == "") { $return_time_type = ""; }
if($return_hour == "") { $return_hour = ""; }
if($return_time_type2 == "") { $return_time_type2 = ""; }
if($return_hour2 == "") { $return_hour2 = ""; }
$stmt = mysqli_prepare($sqli_dbcon, "insert into mBoard_softcs set comp_name = ?, name = ?,
area = ?, return_type = ?, return_content = ?,
return_date = ?, return_time_type = ?, return_time = ?,
return_time_type2 = ?, return_time2 = ?, work_content = ?, data_created = ?");
// ÆĶó¹ÌÅ͸¦ ¹ÙÀεù (µ¥ÀÌÅÍ Å¸ÀÔ¿¡ µû¶ó 'i'´Â Á¤¼ö, 'd'´Â ½Ç¼ö, 's'´Â ¹®ÀÚ¿)
$bind = mysqli_stmt_bind_param($stmt, "sssissisisss", $comp_name, $name, $area, $return_type, $return_content, $return_date,
$return_time_type, $return_time, $return_time_type2, $return_time2, $work_content, date("Y-m-d H:i:s"));
// Äõ¸® ½ÇÇà
$exec = mysqli_stmt_execute($stmt);
if($exec === false) {
$mode_ok = "N";
$msg = "¿äû¿¡ ½ÇÆÐÇß½À´Ï´Ù. ´Ù½ÃÇѹø ½ÃµµÇØÁֽʽÿÀ.";
}
// Äõ¸® ½ÇÇà ÈÄ Á¤¸®
mysqli_stmt_close($stmt);
mysqli_close($sqli_dbcon);
/*$sql = "insert into mBoard_softcs set comp_name = '{$comp_name}', name = '{$name}',
area = '{$area}', return_type = {$return_type}, return_content = '{$return_content}',
return_date = '{$return_date}', return_time_type = {$return_time_type}, return_time = '{$return_time}',
return_time_type2 = {$return_time_type2}, return_time2 = '{$return_time2}', work_content = '{$work_content}', data_created = now()";
$res = mysql_query($sql);
if(!$res) {
$mode_ok = "N";
$msg = "¿äû¿¡ ½ÇÆÐÇß½À´Ï´Ù. ´Ù½ÃÇѹø ½ÃµµÇØÁֽʽÿÀ.";
}*/
}
echo "<?php xml version='1.0' encoding='utf-8'?><output>";
echo "<mode>".$mode."</mode>";
echo "<mode_ok>".$mode_ok."</mode_ok>";
echo "<msg>".$msg."</msg>";
echo "</output>";
?>
|