From a7104b66fc51b3ec23770be9691b5169599d9906 Mon Sep 17 00:00:00 2001
From: kappa <kappa@inouter.com>
Date: Sat, 10 Jan 2026 14:59:43 +0900
Subject: [PATCH] =?UTF-8?q?fix:=20SQL=20=EC=9D=B8=EC=A0=9D=EC=85=98=20?=
 =?UTF-8?q?=EC=B7=A8=EC=95=BD=EC=A0=90=20=EB=B0=8F=20=EC=9E=85=EB=A0=A5=20?=
 =?UTF-8?q?=EA=B2=80=EC=A6=9D=20=EC=88=98=EC=A0=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- r2_migrate_board_files(): SQL 인젝션 방지를 위해 escape 처리
- r2_migrate_board_files(): 테이블명 정규식 검증 추가
- handleUpload(): 파일 배열 필수 키 체크 추가

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 extend/r2-storage/src/R2FileHandler.php |  5 +++++
 extend/r2_hooks.php                     | 17 +++++++++++++----
 2 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/extend/r2-storage/src/R2FileHandler.php b/extend/r2-storage/src/R2FileHandler.php
index e0b6cc0..eee65e3 100644
--- a/extend/r2-storage/src/R2FileHandler.php
+++ b/extend/r2-storage/src/R2FileHandler.php
@@ -117,6 +117,11 @@ class R2FileHandler
      */
     public function handleUpload(array $file, string $boTable, int $memberId = 0, string $type = 'board'): array
     {
+        // 필수 키 체크
+        if (!isset($file['error']) || !isset($file['tmp_name']) || !isset($file['name']) || !isset($file['size'])) {
+            return ['success' => false, 'error' => 'Invalid file array'];
+        }
+
         // 업로드 에러 체크
         if ($file['error'] !== UPLOAD_ERR_OK) {
             return $this->handleUploadError($file['error']);
diff --git a/extend/r2_hooks.php b/extend/r2_hooks.php
index 7bba56e..9a93df4 100644
--- a/extend/r2_hooks.php
+++ b/extend/r2_hooks.php
@@ -221,10 +221,17 @@ function r2_migrate_board_files(string $boTable, int $limit = 100): array
     $handler = get_r2_handler();
     $results = ['migrated' => 0, 'failed' => 0, 'skipped' => 0, 'errors' => []];
 
+    // 테이블명 검증 (영문, 숫자, 언더스코어만 허용)
+    if (!preg_match('/^[a-zA-Z0-9_]+$/', $boTable)) {
+        return ['success' => false, 'error' => 'Invalid table name'];
+    }
+
+    $limit = (int) $limit;
+
     // 아직 마이그레이션되지 않은 파일 조회
     $sql = "SELECT bf_no, wr_id, bf_file, bf_source
             FROM {$g5['board_file_table']}
-            WHERE bo_table = '{$boTable}'
+            WHERE bo_table = '" . sql_real_escape_string($boTable) . "'
               AND (bf_storage_type IS NULL OR bf_storage_type = 'local')
               AND bf_r2_key IS NULL
             LIMIT {$limit}";
@@ -240,10 +247,12 @@ function r2_migrate_board_files(string $boTable, int $limit = 100): array
         }
 
         // 회원 ID 조회 (게시글에서)
-        $write = sql_fetch("SELECT mb_id FROM {$g5['write_prefix']}{$boTable} WHERE wr_id = '{$row['wr_id']}'");
+        $wrId = (int) $row['wr_id'];
+        $write = sql_fetch("SELECT mb_id FROM {$g5['write_prefix']}{$boTable} WHERE wr_id = '{$wrId}'");
         $memberId = 0;
-        if ($write['mb_id']) {
-            $member = sql_fetch("SELECT mb_no FROM {$g5['member_table']} WHERE mb_id = '{$write['mb_id']}'");
+        if (!empty($write['mb_id'])) {
+            $mbId = sql_real_escape_string($write['mb_id']);
+            $member = sql_fetch("SELECT mb_no FROM {$g5['member_table']} WHERE mb_id = '{$mbId}'");
             $memberId = (int) ($member['mb_no'] ?? 0);
         }