【PHP代码审计】 那些年我们一起挖掘SQL注入 - 4.全局防护Bypass之二次注入

elseif ($act == ‘make4_save‘) {
    $resume_education = get_resume_education($_SESSION[‘uid‘], $_REQUEST[‘pid‘]);
    if (count($resume_education) >= 6) showmsg(‘教育经历不能超过6条！‘, 1, $link);
    $setsqlarr[‘uid‘] = intval($_SESSION[‘uid‘]);
    $setsqlarr[‘pid‘] = intval($_REQUEST[‘pid‘]);
    if ($setsqlarr[‘uid‘] == 0 || $setsqlarr[‘pid‘] == 0) showmsg(‘参数错误！‘, 1);
    $setsqlarr[‘start‘] = trim($_POST[‘start‘]) ? $_POST[‘start‘] : showmsg(‘请填写开始时间！‘, 1, $link);
    $setsqlarr[‘endtime‘] = trim($_POST[‘endtime‘]) ? $_POST[‘endtime‘] : showmsg(‘请填写结束时间！‘, 1, $link);
    $setsqlarr[‘school‘] = trim($_POST[‘school‘]) ? $_POST[‘school‘] : showmsg(‘请填写学校名称！‘, 1, $link);
    $setsqlarr[‘speciality‘] = trim($_POST[‘speciality‘]) ? $_POST[‘speciality‘] : showmsg(‘请填写专业名称！‘, 1, $link);
    $setsqlarr[‘education‘] = trim($_POST[‘education‘]) ? $_POST[‘education‘] : showmsg(‘请选择获得学历！‘, 1, $link);
    $setsqlarr[‘education_cn‘] = trim($_POST[‘education_cn‘]) ? $_POST[‘education_cn‘] : showmsg(‘请选择获得学历！‘, 1, $link);
    //看到这里有个插入表“qs_resume_education”的操作，将教育背景相关的字段入库
    if (inserttable(table(‘resume_education‘), $setsqlarr)) {
        check_resume($_SESSION[‘uid‘], intval($_REQUEST[‘pid‘]));

//检查简历的完成程度
function check_resume($uid, $pid)
{
    global $db, $timestamp, $_CFG;
    $uid = intval($uid);
    $pid = intval($pid);
    $percent = 0;
    $resume_basic = get_resume_basic($uid, $pid);
    $resume_intention = $resume_basic[‘intention_jobs‘];
    $resume_specialty = $resume_basic[‘specialty‘];
    //获取教育经历，出数据库了
    $resume_education = get_resume_education($uid, $pid);
    if (!empty($resume_basic)) $percent = $percent + 15;
    if (!empty($resume_intention)) $percent = $percent + 15;
    if (!empty($resume_specialty)) $percent = $percent + 15;
    if (!empty($resume_education)) $percent = $percent + 15;
    if ($resume_basic[‘photo_img‘] && $resume_basic[‘photo_audit‘] == "1" && $resume_basic[‘photo_display‘] == "1") {
        $setsqlarr[‘photo‘] = 1;
    } else {
        $setsqlarr[‘photo‘] = 0;
    }
    if ($percent < 60) {
        $setsqlarr[‘complete_percent‘] = $percent;
        $setsqlarr[‘complete‘] = 2;
    } else {
        $resume_work = get_resume_work($uid, $pid);
        $resume_training = get_resume_training($uid, $pid);
        $resume_photo = $resume_basic[‘photo_img‘];
        if (!empty($resume_work)) $percent = $percent + 13;
        if (!empty($resume_training)) $percent = $percent + 13;
        if (!empty($resume_photo)) $percent = $percent + 14;
        $setsqlarr[‘complete‘] = 1;
        $setsqlarr[‘complete_percent‘] = $percent;
        require_once(QISHI_ROOT_PATH . ‘include/splitword.class.php‘);
        $sp = new SPWord();
        $setsqlarr[‘key‘] = $resume_basic[‘intention_jobs‘] . $resume_basic[‘recentjobs‘] . $resume_basic[‘specialty‘];
        $setsqlarr[‘key‘] = "{$resume_basic[‘fullname‘]} " . $sp->extracttag($setsqlarr[‘key‘]);
        $setsqlarr[‘key‘] = str_replace(",", " ", $resume_basic[‘intention_jobs‘]) . " {$setsqlarr[‘key‘]} {$resume_basic[‘education_cn‘]}";
        $setsqlarr[‘key‘] = $sp->pad($setsqlarr[‘key‘]);
        if (!empty($resume_education)) {
            //遍历教育经历所有字段，加入到数组里
            foreach ($resume_education as $li) {
                $setsqlarr[‘key‘] = "{$li[‘school‘]} {$setsqlarr[‘key‘]} {$li[‘speciality‘]}";
            }
        }
        $setsqlarr[‘refreshtime‘] = $timestamp;
    }
    //这里对教育经历做了次更新操作，二次注入由此产生！
    updatetable(table(‘resume‘), $setsqlarr, "uid=‘{$uid}‘ AND id=‘{$pid}‘");
    updatetable(table(‘resume_tmp‘), $setsqlarr, "uid=‘{$uid}‘ AND id=‘{$pid}‘");