From 4cea789e34d85461c00f05824d27b2aa44ce85e5 Mon Sep 17 00:00:00 2001
From: niekt0 <niekt0@kyberia.cz>
Date: Thu, 13 Jan 2011 14:33:37 +0100
Subject: [PATCH] Security fix (sqli)

---
 {wwwroot/inc/eventz => trash}/configure_bookmarks.inc | 0
 {wwwroot/inc/eventz => trash}/configure_parent.inc    | 0
 wwwroot/inc/eventz/banlist.inc                        | 3 ++-
 3 files changed, 2 insertions(+), 1 deletion(-)
 rename {wwwroot/inc/eventz => trash}/configure_bookmarks.inc (100%)
 rename {wwwroot/inc/eventz => trash}/configure_parent.inc (100%)

diff --git a/wwwroot/inc/eventz/configure_bookmarks.inc b/trash/configure_bookmarks.inc
similarity index 100%
rename from wwwroot/inc/eventz/configure_bookmarks.inc
rename to trash/configure_bookmarks.inc
diff --git a/wwwroot/inc/eventz/configure_parent.inc b/trash/configure_parent.inc
similarity index 100%
rename from wwwroot/inc/eventz/configure_parent.inc
rename to trash/configure_parent.inc
diff --git a/wwwroot/inc/eventz/banlist.inc b/wwwroot/inc/eventz/banlist.inc
index b806cb1..3f08d4d 100644
--- a/wwwroot/inc/eventz/banlist.inc
+++ b/wwwroot/inc/eventz/banlist.inc
@@ -8,7 +8,8 @@ if ($node['node_permission']!=('owner' || 'master' || 'op')) {
 $error=$error_messages['EVENT_PERMISSION_ERROR'];
 return false;
 }
-		$bans=explode(";",$_POST['bans']); // XXX sqli?
+		$bans = explode(";",$_POST['bans']); // XXX sqli?
+		$bans = array_map('mysql_real_escape_string', $bans); 
 
 		$db->query("update node_access set node_permission='' where node_id=$node_id and node_permission='ban'");
 		foreach ($bans as $ban) {
-- 
2.30.2