GIT.Harvie.CZ
/
mirrors
/
Kyberia-bloodline.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
fixing several SQL injections
[mirrors/Kyberia-bloodline.git]
/
wwwroot
/
inc
/
eventz
/
login.inc
diff --git
a/wwwroot/inc/eventz/login.inc
b/wwwroot/inc/eventz/login.inc
index ef4800af8bcb58f5b927488cc9f581f43a0d15a3..94f7f4c4a2c2097e5b7743513602992f8e195d28 100644
(file)
--- a/
wwwroot/inc/eventz/login.inc
+++ b/
wwwroot/inc/eventz/login.inc
@@
-7,7
+7,7
@@
function login() {
global $db,$error,$node_id;
$login = mysql_real_escape_string($_POST['login']);
global $db,$error,$node_id;
$login = mysql_real_escape_string($_POST['login']);
- $password = $_POST['password']; //
XXX nice SQLi
+ $password = $_POST['password']; //
Not SQLi but be carefull
$hash = md5($password);
$login_type = $_POST['login_type'];
$referer = $_SERVER['HTTP_REFERER'];
$hash = md5($password);
$login_type = $_POST['login_type'];
$referer = $_SERVER['HTTP_REFERER'];
@@
-26,6
+26,9
@@
function login() {
$user_name = $set->getString('login');
break;
case "id":
$user_name = $set->getString('login');
break;
case "id":
+ // HA! if it is number, escape_string is not enough
+ $login=intval($login);
+
$q="select * from users where user_id='$login' and password='$hash'";
$set=$db->query($q);
$set->next();
$q="select * from users where user_id='$login' and password='$hash'";
$set=$db->query($q);
$set->next();
This page took
0.121617 seconds
and
4
git commands to generate.