espcms最新版sql注入漏洞附分析

在enquiry.php中

$ptitle = $this->fun->accept('ptitle', 'P');    $tsn = $this->fun->accept('tsn', 'P');    $did = $this->fun->accept('did', 'P');    if (empty($did) || empty($amount) || empty($ptitle)) {     $enquirylink = $this->get_link('enquiry', array(), admin_LNG);     $this->callmessage($this->lng['enquiry_input_err'], $enquirylink, $this->lng['enquiry_into_listbotton']);    }    if (!preg_match("/^/w+((-/w+)|(/./w+))*/@[A-Za-z0-9]+((/.|-)[A-Za-z0-9]+)*/.[A-Za-z0-9]+$/i", $email)) {     $this->callmessage($this->lng['email_err'], $_SERVER['HTTP_REFERER'], $this->lng['gobackbotton']);    }    $enquirysn = date('YmdHis') . rand(100, 9999);    $db_table = db_prefix . 'enquiry';    $db_table2 = db_prefix . 'enquiry_info';    $addtime = time();    $db_field = 'enquirysn,userid,linkman,sex,country,province,city,district,address,zipcode,tel,fax,mobile,email,content,isclass,addtime,edittime';    $db_values = "'$enquirysn',$userid,'$linkman',$sex,$country,$province,$city,$district,'$address','$zipcode','$tel','$fax','$mobile','$email','$content',0,$addtime,0";    $this->db->query('INSERT INTO ' . $db_table . ' (' . $db_field . ') VALUES (' . $db_values . ')');    $insert_id = $this->db->insert_id();    $db_values = '';    $arraycount = count($did) - 1;    foreach ($did as $key => $value) {     $value = intval($value);     $amount[$key] = intval($amount[$key]);       if ($key == $arraycount) {      $db_values.= "($insert_id,$value,'$tsn[$key]','$ptitle[$key]',$amount[$key],'')";     } else {      $db_values.= "($insert_id,$value,'$tsn[$key]','$ptitle[$key]',$amount[$key],''),";     }    }