Security fix (sqli)
authorniekt0 <niekt0@kyberia.cz>
Thu, 13 Jan 2011 13:33:37 +0000 (14:33 +0100)
committerniekt0 <niekt0@kyberia.cz>
Thu, 13 Jan 2011 13:33:37 +0000 (14:33 +0100)
trash/configure_bookmarks.inc [moved from wwwroot/inc/eventz/configure_bookmarks.inc with 100% similarity]
trash/configure_parent.inc [moved from wwwroot/inc/eventz/configure_parent.inc with 100% similarity]
wwwroot/inc/eventz/banlist.inc

index b806cb1c939b511f460801f88ca621a6ade24995..3f08d4d01cf9e0bd5bc26413e8ca025fb47ba620 100644 (file)
@@ -8,7 +8,8 @@ if ($node['node_permission']!=('owner' || 'master' || 'op')) {
 $error=$error_messages['EVENT_PERMISSION_ERROR'];
 return false;
 }
-               $bans=explode(";",$_POST['bans']); // XXX sqli?
+               $bans = explode(";",$_POST['bans']); // XXX sqli?
+               $bans = array_map('mysql_real_escape_string', $bans); 
 
                $db->query("update node_access set node_permission='' where node_id=$node_id and node_permission='ban'");
                foreach ($bans as $ban) {
This page took 0.329838 seconds and 4 git commands to generate.