X-Git-Url: http://git.harvie.cz/?a=blobdiff_plain;f=wwwroot%2Fnodes.php;h=22ec5fc1dbe0da8e42de021ce7f53e2c9665df51;hb=21cabe9db91988ec00901666eaafa26f619dcf33;hp=ff90b6f14a009cca962a241d07fbff8a6653ab77;hpb=82765da6f0265a4e49f4fbd1b8bcad839f2edbb2;p=mirrors%2FKyberia-bloodline.git

diff --git a/wwwroot/nodes.php b/wwwroot/nodes.php
index ff90b6f..22ec5fc 100644
--- a/wwwroot/nodes.php
+++ b/wwwroot/nodes.php
@@ -42,7 +42,7 @@ require(INCLUDE_DIR.'error_messages.inc');
 require(INCLUDE_DIR.'database.inc');
 
 $db = new CLASS_DATABASE();
-$logger = new logger; //XXX
+//$logger = new logger; //XXX
 
 if (!empty($_GET['template_id'])) {
 	$template_id=$_GET['template_id'];
@@ -72,9 +72,10 @@ $smarty->cache_dir = SMARTY_DIR.'cache/';
 $smarty->plugins_dir = SMARTY_PLUGIN_DIR ;
 if ($_SESSION['debugging']) $smarty->debugging=true;
 
-//initializing variables
+// initializing variables
+// preg_replace prevents LFI
 if (empty($_POST['event'])) $event=false;
-else $event=$_POST['event'];
+else $event= preg_replace( "![^a-zA-Z0-9_]+!", "", $_POST['event']);
 
 
 if ($_SESSION['debugging']) {
@@ -283,7 +284,7 @@ if ($_SESSION['user_id']) {
 //if node is css
 if ($node['template_id']!='2019721'){
 
-	$logger->log('enter',$node['node_id'],'ok',$node['node_user_subchild_count']);
+	logger::log('enter',$node['node_id'],'ok',$node['node_user_subchild_count']);
 	if (!empty($_SESSION['user_id']) && is_numeric($node['node_id'])) {
 		$q="update node_access set visits=visits+1,node_user_subchild_count='0',last_visit=NOW() where node_id='".$node['node_id']."' and user_id='".$_SESSION['user_id']."'";
 //		echo $q;
@@ -330,7 +331,7 @@ elseif (!$permissions['r'] && $_GET['magic_word']) {
 
 
 else {
-	$logger->log('enter',$node['node_id'],'failed');
+	logger::log('enter',$node['node_id'],'failed');
 }