修正命令执行漏洞

src/admin/sys_info_mark.php

@@ -26,7 +26,8 @@ if ($action == "save") {
     $vars = array('photo_markup', 'photo_markdown', 'photo_marktype', 'photo_wwidth', 'photo_wheight', 'photo_waterpos', 'photo_watertext', 'photo_fontsize', 'photo_fontcolor', 'photo_marktrans', 'photo_diaphaneity');
     $configstr = $shortname = "";
     foreach ($vars as $v) {
-        ${$v} = str_replace("'", "", ${'get_'.$v});
+        $tmp = stripslashes(${'get_'.$v});
+        ${$v} = addslashes(str_replace("'", "", $tmp));
         $configstr .= "\${$v} = '".${$v}."';\r\n";
     }
     if (is_uploaded_file($newimg)) {

src/user/inc/inc_pwd_functions.php

@@ -100,10 +100,10 @@ function newmail($mid, $userid, $mailto, $type, $send)
         $key = md5($randval);
         $sql = "UPDATE `#@__pwd_tmp` SET `pwd` = '$key',mailtime = '$mailtime'  WHERE `mid` ='$mid';";
         if ($db->ExecuteNoneQuery($sql)) {
-            if ($send == 'Y') {
+            if ($send === 'Y') {
                 sendmail($mailto, $mailtitle, $mailbody, $headers);
                 ShowMsg('EMAIL修改验证码已经发送到原来的邮箱请查收', 'login.php');
-            } elseif ($send == 'N') {
+            } elseif ($send === 'N') {
                 return ShowMsg('稍后跳转到修改页', $cfg_basehost.$cfg_memberurl."/resetpassword.php?dopost=getpasswd&id=".$mid."&key=".$randval);
             }
         } else {