From 4cea789e34d85461c00f05824d27b2aa44ce85e5 Mon Sep 17 00:00:00 2001 From: niekt0 Date: Thu, 13 Jan 2011 14:33:37 +0100 Subject: [PATCH] Security fix (sqli) --- {wwwroot/inc/eventz => trash}/configure_bookmarks.inc | 0 {wwwroot/inc/eventz => trash}/configure_parent.inc | 0 wwwroot/inc/eventz/banlist.inc | 3 ++- 3 files changed, 2 insertions(+), 1 deletion(-) rename {wwwroot/inc/eventz => trash}/configure_bookmarks.inc (100%) rename {wwwroot/inc/eventz => trash}/configure_parent.inc (100%) diff --git a/wwwroot/inc/eventz/configure_bookmarks.inc b/trash/configure_bookmarks.inc similarity index 100% rename from wwwroot/inc/eventz/configure_bookmarks.inc rename to trash/configure_bookmarks.inc diff --git a/wwwroot/inc/eventz/configure_parent.inc b/trash/configure_parent.inc similarity index 100% rename from wwwroot/inc/eventz/configure_parent.inc rename to trash/configure_parent.inc diff --git a/wwwroot/inc/eventz/banlist.inc b/wwwroot/inc/eventz/banlist.inc index b806cb1..3f08d4d 100644 --- a/wwwroot/inc/eventz/banlist.inc +++ b/wwwroot/inc/eventz/banlist.inc @@ -8,7 +8,8 @@ if ($node['node_permission']!=('owner' || 'master' || 'op')) { $error=$error_messages['EVENT_PERMISSION_ERROR']; return false; } - $bans=explode(";",$_POST['bans']); // XXX sqli? + $bans = explode(";",$_POST['bans']); // XXX sqli? + $bans = array_map('mysql_real_escape_string', $bans); $db->query("update node_access set node_permission='' where node_id=$node_id and node_permission='ban'"); foreach ($bans as $ban) { -- 2.30.2