require(INCLUDE_DIR.'database.inc');
$db = new CLASS_DATABASE();
-$logger = new logger; //XXX
+//$logger = new logger; //XXX
if (!empty($_GET['template_id'])) {
$template_id=$_GET['template_id'];
$smarty->plugins_dir = SMARTY_PLUGIN_DIR ;
if ($_SESSION['debugging']) $smarty->debugging=true;
-//initializing variables
+// initializing variables
+// preg_replace prevents LFI
if (empty($_POST['event'])) $event=false;
-else $event=$_POST['event'];
+else $event= preg_replace( "![^a-zA-Z0-9_]+!", "", $_POST['event']);
if ($_SESSION['debugging']) {
//if node is css
if ($node['template_id']!='2019721'){
- $logger->log('enter',$node['node_id'],'ok',$node['node_user_subchild_count']);
+ logger::log('enter',$node['node_id'],'ok',$node['node_user_subchild_count']);
if (!empty($_SESSION['user_id']) && is_numeric($node['node_id'])) {
$q="update node_access set visits=visits+1,node_user_subchild_count='0',last_visit=NOW() where node_id='".$node['node_id']."' and user_id='".$_SESSION['user_id']."'";
// echo $q;
else {
- $logger->log('enter',$node['node_id'],'failed');
+ logger::log('enter',$node['node_id'],'failed');
}