1

app/Request.php

@@ -44,68 +44,71 @@ class Request extends \think\Request
      * 不过滤变量名
      * @var array
      */
-    protected $except = ['menu_path', 'api_url', 'unique_auth', 'description', 'custom_form', 'product_detail_diy', 'value'];
-
-    /**
-     * 获取请求的数据
-     * @param array $params
-     * @param bool $suffix
-     * @param bool $filter
-     * @return array
-     */
-    public function more(array $params, bool $suffix = false, bool $filter = true): array
-    {
-        $p = [];
-        $i = 0;
-        foreach ($params as $param) {
-            if (!is_array($param)) {
-                $p[$suffix == true ? $i++ : $param] = $this->filterWord(is_string($this->param($param)) ? trim($this->param($param)) : $this->param($param), $filter && !in_array($param, $this->except));
-            } else {
-                if (!isset($param[1])) $param[1] = null;
-                if (!isset($param[2])) $param[2] = '';
-                if (is_array($param[0])) {
-                    $name = is_array($param[1]) ? $param[0][0] . '/a' : $param[0][0] . '/' . $param[0][1];
-                    $keyName = $param[0][0];
-                } else {
-                    $name = is_array($param[1]) ? $param[0] . '/a' : $param[0];
-                    $keyName = $param[0];
-                }
-                $p[$suffix == true ? $i++ : (isset($param[3]) ? $param[3] : $keyName)] = $this->filterWord(is_string($this->param($name, $param[1], $param[2])) ? trim($this->param($name, $param[1], $param[2])) : $this->param($name, $param[1], $param[2]), $filter && !in_array($keyName, $this->except));
-            }
-        }
-        return $p;
-    }
-
-    /**
-     * 过滤接受的参数
-     * @param $str
-     * @param bool $filter
-     * @return array|mixed|string|string[]
-     */
-    public function filterWord($str, bool $filter = true)
-    {
-        if (!$str || !$filter) return $str;
-        // 把数据过滤
-        $farr = [
-            "/<(\\/?)(script|i?frame|style|html|body|title|link|meta|object|\\?|\\%)([^>]*?)>/isU",
-            "/(<[^>]*)on[a-zA-Z]+\s*=([^>]*>)/isU",
-            "/select|join|where|drop|like|modify|rename|insert|update|table|database|alter|truncate|\'|\/\*|\.\.\/|\.\/|union|into|load_file|outfile/is"
-        ];
-        if (is_array($str)) {
-            foreach ($str as &$v) {
-                if (is_array($v)) {
-                    foreach ($v as &$vv) {
-                        if (!is_array($vv)) $vv = preg_replace($farr, '', $vv);
-                    }
-                } else {
-                    $v = preg_replace($farr, '', $v);
-                }
-            }
-        } else {
-            $str = preg_replace($farr, '', $str);
-        }
-        return $str;
-    }
+    protected $except = [
+		'menu_path', 'api_url', 'unique_auth',
+		'description', 'custom_form', 'product_detail_diy', 'value', 'member', 'product_category_diy'
+	];
+
+
+	/**
+	 * 获取请求的数据
+	 * @param array $params
+	 * @param bool $suffix
+	 * @param bool $filter
+	 * @return array
+	 */
+	public function more(array $params, bool $suffix = false, bool $filter = true): array
+	{
+		$p = [];
+		$i = 0;
+		foreach ($params as $param) {
+			if (!is_array($param)) {
+				$p[$suffix == true ? $i++ : $param] = $this->param($param);
+			} else {
+				if (!isset($param[1])) $param[1] = null;
+				if (!isset($param[2])) $param[2] = '';
+				if (is_array($param[0])) {
+					$name = is_array($param[1]) ? $param[0][0] . '/a' : $param[0][0] . '/' . $param[0][1];
+					$keyName = $param[0][0];
+				} else {
+					$name = is_array($param[1]) ? $param[0] . '/a' : $param[0];
+					$keyName = $param[0];
+				}
+
+				$p[$suffix == true ? $i++ : ($param[3] ?? $keyName)] = $this->param($name, $param[1], $param[2]);
+			}
+		}
+
+		if ($filter && $p) {
+			$p = $this->filterArrayValues($p);
+		}
+
+		return $p;
+	}
+
+	/**
+	 * @param $array
+	 * @return array
+	 */
+	public function filterArrayValues($array)
+	{
+		$result = [];
+		foreach ($array as $key => $value) {
+			if (is_array($value)) {
+				// 如果值是数组，递归调用 filterArrayValues
+				$result[$key] = in_array($key, $this->except) ? $value : $this->filterArrayValues($value);
+			} else {
+				if (in_array($key, $this->except) || is_int($value) || is_null($value)) {
+					$result[$key] = $value;
+				} else {
+					// 如果值是字符串，过滤特殊字符
+					$result[$key] = filter_str($value);
+				}
+
+			}
+		}
+		return $result;
+	}
 
 
     /**

app/common.php

@@ -598,3 +598,61 @@ if (!function_exists('get_group_user')) {
     }
 }
 
+if (!function_exists('stringToIntArray')) {
+
+    /**
+     * 处理ids等并过滤参数
+     * @param string $string
+     * @param string $separator
+     * @return array
+     */
+    function stringToIntArray(string $string, string $separator = ',')
+    {
+        return !empty($string) ? array_unique(array_diff(array_map('intval', explode($separator, $string)), [0])) : [];
+    }
+}
+
+if (!function_exists('filter_str')) {
+    /**
+     * 过滤字符串敏感字符
+     * @param $str
+     * @return array|mixed|string|string[]|null
+     */
+    function filter_str($str)
+    {
+        $rules = [
+            '/\.\./', // 禁用包含 ../ 的参数
+            '/\<\?/', // 禁止 php 脚本出现
+            '/\bor\b.*=.*/i', // 匹配 'or 1=1'，防止 SQL 注入（注意边界词 \b 和不区分大小写 i 修饰符）
+            '/(select[\s\S]*?)(from|limit)/i', // 防止 SQL 注入
+            '/(union[\s\S]*?select)/i', // 防止 SQL 注入
+            '/(having|updatexml|extractvalue)/i', // 防止 SQL 注入
+            '/sleep\((\s*)(\d*)(\s*)\)/i', // 防止 SQL 盲注
+            '/benchmark\((.*)\,(.*)\)/i', // 防止 SQL 盲注
+            '/base64_decode\(/i', // 防止 SQL 变种注入
+            '/(?:from\W+information_schema\W)/i', // 注意这里的 (?:...) 是不合法的，应该是 (?:...) 表示非捕获组，但通常我们不需要这个
+            '/(?:current_|user|database|schema|connection_id)\s*\(/i', // 防止 SQL 注入（注意去掉了不必要的 (?:...)）
+            '/(?:etc\/\W*passwd)/i', // 防止窥探 Linux 用户信息
+            '/into(\s+)(?:dump|out)file\s*/i', // 禁用 MySQL 导出函数
+            '/group\s+by.+\(/i', // 防止 SQL 注入
+            '/(?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\(/i', // 禁用 webshell 相关某些函数
+            '/(gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\:\/\//i', // 防止一些协议攻击（注意协议后的三个斜杠）
+            '/\$_(GET|POST|COOKIE|FILES|SESSION|ENV|GLOBALS|SERVER)\[/i', // 禁用一些内置变量，注意 PHP 变量名通常是大写的
+            '/<(iframe|script|body|img|layer|div|meta|style|base|object|input)/i', // 防止 XSS 标签植入
+            '/(onmouseover|onerror|onload|onclick)\=/i', // 防止 XSS 事件植入
+            '/\|\|.*?(?:ls|pwd|whoami|ll|ifconfig|ipconfig|&&|chmod|cd|mkdir|rmdir|cp|mv)/i', // 防止执行 shell（注意去掉了不合适的 ifconfog）
+            '/\sand\s+.*=.*/i' // 匹配 and 1=1
+        ];
+        if (filter_var($str, FILTER_VALIDATE_URL)) {
+            $url = parse_url($str);
+            if (!isset($url['scheme'])) return $str;
+            $host = $url['scheme'] . '://' . $url['host'];
+            $str = $host . preg_replace($rules, '', str_replace($host, '', $str));
+        } else {
+            $str = preg_replace($rules, '', $str);
+        }
+        return $str;
+    }
+}
+
+

app/services/product/product/StoreProductServices.php

@@ -1395,8 +1395,8 @@ class StoreProductServices extends BaseServices
             $where = array_merge($where, $promotionsWhere);
         }
         unset($where['promotions_id']);
-        if (isset($where['productId']) && $where['productId'] !== '') {
-            $where['ids'] = explode(',', $where['productId']);
+        if (isset($where['productId']) && $where['productId'] != '') {
+            $where['ids'] = is_string($where['productId']) ? stringToIntArray($where['productId']) : $where['productId'];
             $where['ids'] = array_unique(array_map('intval', $where['ids']));
             unset($where['productId']);
         }

app/services/user/AwardIntegralServices.php

@@ -261,15 +261,20 @@ class AwardIntegralServices extends BaseServices
     {
         $sum = $this->dao->search()->whereTime('add_time', 'yesterday')->sum('order_price');
         $system_check = sys_config('system_achievement_check', 10000);
+        if ($sum < $system_check) {
+            $update['send_time'] = time();
+            $this->dao->search()->where('status', 0)->where('sent_num<num')->where('send_time', '<', $test ? (time() + 1000) : strtotime('today'))->update($update);
+            return true;
+        }
         $list = $this->dao->search()->where('status', 0)->where('sent_num<num')->where('send_time', '<', $test ? (time() + 1000) : strtotime('today'))->limit($test ? 10000 : 50)->select();
         foreach ($list as $v) {
             $day_send = $v['day_send'];
             $send_day = $v['send_day'];
             $up_speed = $v['up_speed'] - $v['up_speed_used'];
-            if ($sum < $system_check) {
-                if (!$test) $send_day = $v['send_day'] + sys_config('fail_inc_send_day', 1);
-                $day_send = bcdiv((string)(($v['num'] - $v['sent_num'] + $v['up_speed_used'])), (string)($send_day - $v['sent_day']), 2);
-            }
+//            if ($sum < $system_check) {
+//            if (!$test) $send_day = $v['send_day'] + sys_config('fail_inc_send_day', 1);
+//            $day_send = bcdiv((string)(($v['num'] - $v['sent_num'] + $v['up_speed_used'])), (string)($send_day - $v['sent_day']), 2);
+//            }
             $up_speed = bcdiv((string)$up_speed, (string)($send_day - $v['sent_day']), 2);
 
             $real_send = $day_send + $up_speed;