Home >Backend Development >PHP Tutorial >开发dz插件后台提示错误

开发dz插件后台提示错误

WBOY
WBOYOriginal
2016-06-23 13:49:431425browse

这是php的代码

<?phpif(!defined('IN_DISCUZ') || !defined('IN_ADMINCP')) {	exit('Access Denied');}			include template('baoming:fabu');	if($_GET['a'] == 'post'){		if($_GET['submit'] && submitcheck('formhash'))	{		$arr=array();		$arr['name']=trim($_GET['name']);		$arr['jj']=$_GET['jj'];				if($arr['name']=='') showmessage('名称不能为空');		if($arr['jj']=='') showmessage('简介不能为空');						$arr = daddslashes($arr);				$id=DB::insert('bm_post',$arr,true);if($id>0){showmessage('添加失败');}else{showmessage('添加失败');}			}}?>

模板的
<form id="form" name="form" method="post" action="plugin.php?id=baoming:fabu&a=post" enctype="multipart/form-data"><table width="100%" border="0" cellpadding="0" cellspacing="0" class="a1" style="margin-top:15px;">  <tr>    <td width="10"> </td>    <td width="100">名称:</td>    <td><input name="name" id="name" type="text" size="50" /></td>  </tr>    <tr>      <td> </td>      <td>简介:</td>      <td>        <label></label>       <label>          <textarea name="jj" cols="60" rows="4"></textarea>      </label></td>    </tr>    <tr>    <td> </td>    <td> </td>    <td><label>      <input type="submit" name="submit" style="height:25px;" value="提交"  />              <input type="reset" name="submit2" style="height:25px;" value="重写" />      </label></td>  </tr></table><input type="hidden" name="formhash" value="{FORMHASH}" /></form>

错误提示
Discuz! System Error

您当前的访问请求当中含有非法字符,已经被系统拒绝
PHP Debug

[Line: 0025]admin.php(discuz_application->init)
[Line: 0071]source\class\discuz\discuz_application.php(discuz_application->_init_misc)
[Line: 0552]source\class\discuz\discuz_application.php(discuz_application->_xss_check)
[Line: 0355]source\class\discuz\discuz_application.php(system_error)
[Line: 0023]source\function\function_core.php(discuz_error::system_error)
[Line: 0024]source\class\discuz\discuz_error.php(discuz_error::debug_backtrace)


回复讨论(解决方案)

请贴出你提交后php页面获取的$_SERVER['REQUEST_URI']
应该是有特殊字符,

请贴出你提交后php页面获取的$_SERVER['REQUEST_URI']
应该是有特殊字符,

我在空表单上提交也是提示这个

这个说不清楚,只能看你的$_SERVER['REQUEST_URI']这个值
抛出错误的位置在source\class\discuz\discuz_application.php,里面有个_xss_check()的私有方法,你自己看一下吧

$_SERVER['REQUEST_URI']这个值

/admin.php?action=plugins&operation=config&do=23&identifier=baoming&pmod=fabu

X2.5测试没问题,请查看你的_xss_check()方法,在source\class\discuz\discuz_application.php
是否如下所示,若不是,请替换

private function _xss_check() {		$temp = strtoupper(urldecode(urldecode($_SERVER['REQUEST_URI'])));		if(strpos($temp, '<') !== false || strpos($temp, '"') !== false || strpos($temp, 'CONTENT-TRANSFER-ENCODING') !== false) {			system_error('request_tainting');		}		return true;	}



是不是这的事



是不是这的事

我检查了 这里都对

好像是 formhash  发送说是接受有错误

应该是formhash的问题,因为原来的_xss_check()方法是要验证formhash

private function _xss_check() {	static $check = array('"', '>', '<', '\'', '(', ')', 'CONTENT-TRANSFER-ENCODING');	if(isset($_GET['formhash']) && $_GET['formhash'] !== formhash()) {		system_error('request_tainting');	}	if($_SERVER['REQUEST_METHOD'] == 'GET' ) {		$temp = $_SERVER['REQUEST_URI'];	} elseif(empty ($_GET['formhash'])) {		$temp = $_SERVER['REQUEST_URI'].file_get_contents('php://input');	} else {		$temp = '';	}	if(!empty($temp)) {		$temp = strtoupper(urldecode(urldecode($temp)));		foreach ($check as $str) {			if(strpos($temp, $str) !== false) {				system_error('request_tainting');			}		}	}	return true;}


所以,让你改为X2.5的_xss_check()方法试试

在前台也得验证formhash,怎么就可以通过,到了后台就不行了呢

呃...能力有限,没研究过,也没遇到过
而且,根据discuz的报错,我在X2.5的discuz_application.php的_init_misc方法中没有找到执行_xss_check()的代码
不知道你的版本是多少
若是低版本就将discuz_application.php这个文件覆盖一下试试

哎  !  我是3.2的

无论如何非常感谢jam00  结贴给分

我擦,没玩过这么高大上的版本...我下来看了一下,还真有,我看看...

Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn