SQL injection problem exists for multiple functions below version 5.0

[feizi76]

I found a lot of such code in our extensive penetration test.

$sql=$Data->query("select * from users where id=$id"); $sql=$Data->where("id=$id")->select();

Such code is not pre-processed by sql during preprocessing. can be seen

protected function parseSql($sql,$parse) { if(true === $parse) { $options = $this->_parseOptions(); $sql = $this->db->parseSql($sql,$options); }elseif(is_array($parse)){ // SQL预处理 $parse = array_map(array($this->db,'escapeString'),$parse); $sql = vsprintf($sql,$parse); }else{ $sql = strtr($sql,array('__TABLE__'=>$this->getTableName(),'__PREFIX__'=>C('DB_PREFIX'))); } $this->db->setModel($this->name); return $sql; }

or

`public function where($where,$parse=null){ if(!is_null($parse) && is_string($where)) { if(!is_array($parse)) { $parse = func_get_args(); array_shift($parse); } $parse = array_map(array($this->db,'escapeString'),$parse); $where = vsprintf($where,$parse); }elseif(is_object($where)){ $where = get_object_vars($where); } if(is_string($where) && '' != $where){ $map = array(); $map['_string'] = $where; $where = $map; }
if(isset($this->options['where'])){ $this->options['where'] = array_merge($this->options['where'],$where); }else{ $this->options['where'] = $where; }

return $this;

} `

And the official website also has a lot of such writings.http://www.thinkphp.cn/extend/246.html Are all wrong demonstrations that will cause more SQL injection Sql injection can also be performed in the MODEL.class.php limit function and the order function.

public function limit($offset,$length=null){ $this->options['limit'] = is_null($length)?$offset:$offset.','.$length; return $this; } $sql=$Data->where("id=$id")->order($id);