输入过滤，防止SQL注入

Application/Home/Controller/AttornController.class.php

@@ -21,7 +21,7 @@ class AttornController extends BaseController {
         $login_user = $this->checkLogin();
 
         $username = I("username");
-        $item_id = I("item_id");
+        $item_id = I("item_id/d");
         $password = I("password");
 
         $item  = D("Item")->where("item_id = '$item_id' ")->find();
@@ -33,7 +33,7 @@ class AttornController extends BaseController {
             return ;
         }
 
-        $member = D("User")->where(" username = '$username' ")->find();
+        $member = D("User")->where(" username = '%s' ",array($username))->find();
 
         if (!$member) {
             $return['error_code'] = 10201 ;

Application/Home/Controller/BaseController.class.php

@@ -13,7 +13,7 @@ class BaseController extends Controller {
 		if ( ! session("login_user")) {
 			$cookie_token = cookie('cookie_token');
 			if ($cookie_token) {
-				$ret = D("User")->where("cookie_token = '$cookie_token' ")->find();
+				$ret = D("User")->where("cookie_token = '%d' ",array($cookie_token))->find();
 				if ($ret && $ret['cookie_token_expire'] > time() ) {
 					$login_user = $ret ;
 					session("login_user" , $login_user);
@@ -56,12 +56,12 @@ class BaseController extends Controller {
 			return true;
 		}
 
-		$item = D("Item")->where("item_id = '$item_id' ")->find();
+		$item = D("Item")->where("item_id = '%d' ",array($item_id))->find();
 		if ($item['uid'] && $item['uid'] == $uid) {
 			session("mamage_item_".$item_id , 1 );
 			return true;
 		}
-		$ItemMember = D("ItemMember")->where("item_id = '$item_id' and uid = '$uid' ")->find();
+		$ItemMember = D("ItemMember")->where("item_id = '%d' and uid = '%d' ",array($item_id,$uid))->find();
 		if ($ItemMember) {
 			session("mamage_item_".$item_id , 1 );
 			return true;
@@ -78,7 +78,7 @@ class BaseController extends Controller {
 			return true;
 		}
 
-		$item = D("Item")->where("item_id = '$item_id' ")->find();
+		$item = D("Item")->where("item_id = '%d' ",array($item_id))->find();
 		if ($item['uid'] && $item['uid'] == $uid) {
 			session("creat_item_".$item_id , 1 );
 			return true;
@@ -96,7 +96,7 @@ class BaseController extends Controller {
 			return true;
 		}
 
-		$item = D("Item")->where("item_id = '$item_id' ")->find();
+		$item = D("Item")->where("item_id = '%d' ",array($item_id))->find();
 		if ($item['password']) {
 			//跳转到输入访问密码框
 			header("location:".U("Home/item/pwd").'?item_id='.$item_id);

Application/Home/Controller/CatalogController.class.php

@@ -6,7 +6,7 @@ class CatalogController extends BaseController {
     //编辑页面
     public function edit(){
 
-        $cat_id = I("cat_id");
+        $cat_id = I("cat_id/d");
 
         $Catalog = D("Catalog")->where(" cat_id = '$cat_id' ")->find();
 
@@ -30,9 +30,9 @@ class CatalogController extends BaseController {
     //保存目录
     public function save(){
         $cat_name = I("cat_name");
-        $order = I("order") ? I("order") : 99 ;
-        $cat_id = I("cat_id")? I("cat_id") : 0;
-        $item_id =  I("item_id");
+        $order = I("order/d") ? I("order/d") : 99 ;
+        $cat_id = I("cat_id/d")? I("cat_id/d") : 0;
+        $item_id =  I("item_id/d");
 
         $login_user = $this->checkLogin();
         if (!$this->checkItemPermn($login_user['uid'] , $item_id)) {
@@ -66,7 +66,7 @@ class CatalogController extends BaseController {
 
     //获取目录列表
     public function catList(){
-        $item_id = I("item_id");
+        $item_id = I("item_id/d");
         if ($item_id > 0 ) {
             $ret = D("Catalog")->where(" item_id = '$item_id' ")->order(" 'order', addtime asc  ")->select();
         }
@@ -81,7 +81,7 @@ class CatalogController extends BaseController {
 
     //删除目录
     public function delete(){
-        $cat_id = I("cat_id")? I("cat_id") : 0;
+        $cat_id = I("cat_id/d")? I("cat_id/d") : 0;
         $cat = D("Catalog")->where(" cat_id = '$cat_id' ")->find();
         $item_id = $cat['item_id'];
         

Application/Home/Controller/ItemController.class.php

@@ -15,7 +15,7 @@ class ItemController extends BaseController {
     //新建项目
     public function add(){
     	$login_user = $this->checkLogin();
-        $item_id = I("item_id");
+        $item_id = I("item_id/d");
 		if (!IS_POST) {
           $item = D("Item")->where("item_id = '$item_id' ")->find();
           $this->assign("item" , $item);
@@ -55,7 +55,7 @@ class ItemController extends BaseController {
     //展示单个项目
     public function show(){
         $this->checkLogin(false);
-        $item_id = I("item_id");
+        $item_id = I("item_id/d");
         $keyword = I("keyword");
         $login_user = session("login_user");
         $uid = $login_user['uid'] ? $login_user['uid'] : 0 ;
@@ -67,7 +67,7 @@ class ItemController extends BaseController {
 
         //是否有搜索词
         if ($keyword) {
-            
+            $keyword = mysql_escape_string($keyword);
             $pages = D("Page")->where("item_id = '$item_id' and ( page_title like '%{$keyword}%' or page_content like '%{$keyword}%' ) ")->order(" `order` asc  ")->select();
         
         }else{
@@ -118,7 +118,7 @@ class ItemController extends BaseController {
     public function ajaxDelete(){
         $login_user = $this->checkLogin();
 
-        $item_id = I("item_id");
+        $item_id = I("item_id/d");
         $password = I("password");
 
         $item  = D("Item")->where("item_id = '$item_id' ")->find();
@@ -146,7 +146,7 @@ class ItemController extends BaseController {
 
     //输入访问密码
     public function pwd(){
-        $item_id = I("item_id");
+        $item_id = I("item_id/d");
         if (!IS_POST) {
           $this->assign("item_id" , $item_id);
           $this->display ();
@@ -175,7 +175,7 @@ class ItemController extends BaseController {
     public function word(){
         import("Vendor.Parsedown.Parsedown");
         $Parsedown = new \Parsedown();
-        $item_id =  I("item_id");
+        $item_id =  I("item_id/d");
         $login_user = $this->checkLogin();
         if (!$this->checkItemPermn($login_user['uid'] , $item_id)) {
             $this->message("你无权限");

Application/Home/Controller/MemberController.class.php

@@ -18,14 +18,14 @@ class MemberController extends BaseController {
 
     //保存
     public function save(){
-        $item_id =  I("item_id");
+        $item_id =  I("item_id/d");
         $login_user = $this->checkLogin();
         if (!$this->checkItemCreator($login_user['uid'] , $item_id)) {
             $this->message("你无权限");
             return;
         }
         $username = I("username");
-        $member = D("User")->where(" username = '$username' ")->find();
+        $member = D("User")->where(" username = '%s' ",array($username))->find();
 
         if (!$member) {
             $return['error_code'] = 10201 ;
@@ -54,7 +54,7 @@ class MemberController extends BaseController {
 
     //获取成员列表
     public function getList(){
-        $item_id = I("item_id");
+        $item_id = I("item_id/d");
         if ($item_id > 0 ) {
             $ret = D("ItemMember")->where(" item_id = '$item_id' ")->order(" 'order', addtime asc  ")->select();
         }
@@ -69,7 +69,7 @@ class MemberController extends BaseController {
 
     //删除目录
     public function delete(){
-        $item_id = I("item_id")? I("item_id") : 0;
+        $item_id = I("item_id/d")? I("item_id/d") : 0;
         $login_user = $this->checkLogin();
         if (!$this->checkItemCreator($login_user['uid'] , $item_id)) {
             $this->message("你无权限");
@@ -79,7 +79,7 @@ class MemberController extends BaseController {
 
         if ($username) {
             
-            $ret = D("ItemMember")->where(" item_id = '$item_id' and username = '$username'  ")->limit(1)->delete();
+            $ret = D("ItemMember")->where(" item_id = '%d' and username = '%s'  ",array($item_id,$username))->limit(1)->delete();
 
         }
         if ($ret) {

Application/Home/Controller/PageController.class.php

@@ -6,7 +6,7 @@ class PageController extends BaseController {
     //展示某个项目的单个页面
     public function index(){
         import("Vendor.Parsedown.Parsedown");
-        $page_id = I("page_id");
+        $page_id = I("page_id/d");
         $page = D("Page")->where(" page_id = '$page_id' ")->find();
         $login_user = $this->checkLogin(false);
         if (!$this->checkItemVisit($login_user['uid'] , $page['item_id'])) {
@@ -21,7 +21,7 @@ class PageController extends BaseController {
 
     //返回单个页面的源markdown代码
     public function md(){
-        $page_id = I("page_id");
+        $page_id = I("page_id/d");
         $page = D("Page")->where(" page_id = '$page_id' ")->find();
         echo $page['page_content'];
     }
@@ -29,10 +29,10 @@ class PageController extends BaseController {
     //编辑页面
     public function edit(){
         $login_user = $this->checkLogin();
-        $page_id = I("page_id");
-        $item_id = I("item_id");
+        $page_id = I("page_id/d");
+        $item_id = I("item_id/d");
 
-        $page_history_id = I("page_history_id");
+        $page_history_id = I("page_history_id/d");
 
         if ($page_id > 0 ) {
             if ($page_history_id) {
@@ -68,12 +68,12 @@ class PageController extends BaseController {
     //保存
     public function save(){
         $login_user = $this->checkLogin();
-        $page_id = I("page_id") ? I("page_id") : 0 ;
+        $page_id = I("page_id/d") ? I("page_id/d") : 0 ;
         $page_title = I("page_title") ?I("page_title") : '默认页面';
         $page_content = I("page_content");
-        $cat_id = I("cat_id")? I("cat_id") : 0;
-        $item_id = I("item_id")? I("item_id") : 0;
-        $order = I("order")? I("order") : 99;
+        $cat_id = I("cat_id/d")? I("cat_id/d") : 0;
+        $item_id = I("item_id/d")? I("item_id/d") : 0;
+        $order = I("order/d")? I("order/d") : 99;
 
         $login_user = $this->checkLogin();
         if (!$this->checkItemPermn($login_user['uid'] , $item_id)) {
@@ -124,7 +124,7 @@ class PageController extends BaseController {
 
     //删除页面
     public function delete(){
-        $page_id = I("page_id")? I("page_id") : 0;
+        $page_id = I("page_id/d")? I("page_id/d") : 0;
         $page = D("Page")->where(" page_id = '$page_id' ")->find();
 
         $login_user = $this->checkLogin();
@@ -147,7 +147,7 @@ class PageController extends BaseController {
 
     //历史版本
     public function history(){
-        $page_id = I("page_id") ? I("page_id") : 0 ;
+        $page_id = I("page_id/d") ? I("page_id/d") : 0 ;
         $this->assign("page_id" , $page_id);
 
         $PageHistory = D("PageHistory")->where("page_id = '$page_id' ")->order(" addtime desc")->limit(10)->select();

Application/Home/Controller/UserController.class.php

@@ -46,7 +46,7 @@ class UserController extends BaseController {
 			//如果有cookie记录，则自动登录
 			$cookie_token = cookie('cookie_token');
 			if ($cookie_token) {
-				$ret = D("User")->where("cookie_token = '$cookie_token' ")->find();
+				$ret = D("User")->where("cookie_token = '%s' ",array($cookie_token))->find();
 				if ($ret && $ret['cookie_token_expire'] > time() ) {
 					$login_user = $ret ;
 					session("login_user" , $login_user);

Application/Home/Model/UserModel.class.php

@@ -9,7 +9,7 @@ class UserModel extends BaseModel {
      * 
      */
     public function isExist($username){
-        return  $this->where("username = '$username'")->find();
+        return  $this->where("username = '%s'",array($username))->find();
     }
 
     /**
@@ -24,7 +24,7 @@ class UserModel extends BaseModel {
     //修改用户密码
     public function updatePwd($uid, $password){
         $password = md5(base64_encode(md5($password)).'576hbgh6');
-        return $this->where("uid ='$uid' ")->save(array('password'=>$password));   
+        return $this->where("uid ='%d' ",array($uid))->save(array('password'=>$password));   
     }
 
     /**
@@ -32,7 +32,7 @@ class UserModel extends BaseModel {
      * @return 
      */
     public function userInfo($uid){
-        return  $this->where("uid = '$uid'")->find();
+        return  $this->where("uid = '%d'",array($uid))->find();
     }
     
     /**