On Tue, May 10, 2011 at 09:01:29PM -0700, elij wrote:
> the query was being performed when $id was not set, resulting in an
> invalid sql query being performed.
> ---
> web/lib/acctfuncs.inc | 3 +++
> 1 files changed, 3 insertions(+), 0 deletions(-)
>
> diff --git a/web/lib/acctfuncs.inc b/web/lib/acctfuncs.inc
> index 5bcff8b..b2f0548 100644
> --- a/web/lib/acctfuncs.inc
> +++ b/web/lib/acctfuncs.inc
> @@ -786,6 +786,9 @@ function valid_passwd( $userID, $passwd )
> */
> function user_suspended( $id )
> {
> + if (!$id) {
> + return false;
> + }
> $dbh = db_connect();
> $q = "SELECT Suspended FROM Users WHERE ID = " . $id;
> $result = db_query($q, $dbh);
Looks ok, but I'd rather say we should locate the code path that led to
the unset parameter and add some additional validation there to avoid
further unexpected behaviour.
