Revision: 1121
http://mrbs.svn.sourceforge.net/mrbs/?rev=1121&view=rev
Author: jberanek
Date: 2009-06-19 21:10:10 +0000 (Fri, 19 Jun 2009)
Log Message:
-----------
* Added more missing SQL escaping.
Modified Paths:
--------------
mrbs/trunk/web/edit_users.php
mrbs/trunk/web/mrbs_sql.inc
Modified: mrbs/trunk/web/edit_users.php
===================================================================
--- mrbs/trunk/web/edit_users.php 2009-06-19 20:50:59 UTC (rev 1120)
+++ mrbs/trunk/web/edit_users.php 2009-06-19 21:10:10 UTC (rev 1121)
@@ -139,7 +139,7 @@
// Now populate the table with the existing admins
foreach ($auth['admin'] as $admin_name)
{
- $sql = "UPDATE $tbl_users SET level=2 WHERE name='$admin_name'";
+ $sql = "UPDATE $tbl_users SET level=2 WHERE
name='".addslashes($admin_name)."'";
if (sql_command($sql) < 0)
{
fatal_error(0, "Error adding existing admins. " . sql_error());
@@ -403,7 +403,7 @@
if (isset($Action) && ($Action == "Update"))
{
// If you haven't got the rights to do this, then exit
- $my_id = sql_query1("SELECT id FROM $tbl_users WHERE name='$user' LIMIT 1");
+ $my_id = sql_query1("SELECT id FROM $tbl_users WHERE
name='".addslashes($user)."' LIMIT 1");
if (($level < $min_user_editing_level) && ($Id != $my_id ))
{
Header("Location: edit_users.php");
Modified: mrbs/trunk/web/mrbs_sql.inc
===================================================================
--- mrbs/trunk/web/mrbs_sql.inc 2009-06-19 20:50:59 UTC (rev 1120)
+++ mrbs/trunk/web/mrbs_sql.inc 2009-06-19 21:10:10 UTC (rev 1121)
@@ -180,6 +180,8 @@
$private = $private ? 1 : 0;
$name = addslashes($name);
$description = addslashes($description);
+ $owner = addslashes($owner);
+ $type = addslashes($type);
// make sure that any entry is of a positive duration
// this is to trap potential negative duration created when DST comes
@@ -234,6 +236,9 @@
$private = $private ? 1 : 0;
$name = addslashes($name);
$description = addslashes($description);
+ $owner = addslashes($owner);
+ $type = addslashes($type);
+ $rep_opt = addslashes($rep_opt);
// Let's construct the sql statement:
$sql_coln = array(); $sql_val = array();
This was sent by the SourceForge.net collaborative development platform, the
world's largest Open Source development site.
------------------------------------------------------------------------------
Are you an open source citizen? Join us for the Open Source Bridge conference!
Portland, OR, June 17-19. Two days of sessions, one day of unconference: $250.
Need another reason to go? 24-hour hacker lounge. Register today!
http://ad.doubleclick.net/clk;215844324;13503038;v?http://opensourcebridge.org
_______________________________________________
Mrbs-commits mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/mrbs-commits
