Commit: bb43cf8fb5d2199bd849849fab658ec743e9dce6 Author: Johannes Schlüter <[email protected]> Sun, 14 Oct 2012 17:51:04 +0200 Parents: bcd16a13d21d0beee9119ec0e8bd77c2ffa9fb2a Branches: master
Link: http://git.php.net/?p=web/master.git;a=commitdiff;h=bb43cf8fb5d2199bd849849fab658ec743e9dce6 Log: Escape user data in event submission Changed paths: M entry/event.php Diff: diff --git a/entry/event.php b/entry/event.php index c4c27d5..80c4899 100644 --- a/entry/event.php +++ b/entry/event.php @@ -18,9 +18,14 @@ function day($in) { return strftime('%A',mktime(12,0,0,4,$in,2001)); } +@mysql_connect("localhost","nobody", "") + or die("failed to connect to database"); +@mysql_select_db("phpmasterdb") + or die("failed to select database"); + $valid_vars = array('sdesc','ldesc','email','country','category','type','url','sane','smonth','sday','syear','emonth','eday','eyear','recur','recur_day'); foreach($valid_vars as $k) { - $$k = isset($_REQUEST[$k]) ? $_REQUEST[$k] : false; + $$k = isset($_REQUEST[$k]) ? mysql_real_escape_string($_REQUEST[$k]) : false; } if (empty($sdesc) || empty($email) || empty($country) || empty($category) || empty($type) || empty($url)) @@ -34,11 +39,6 @@ if ($sane != 3) { // utf8 safe truncate, while php not compile with mb_string $l = 32; while (strlen($sdesc) > 32) { $sdesc = iconv_substr($sdesc, 0, $l--, 'UTF-8'); } -@mysql_connect("localhost","nobody", "") - or die("failed to connect to database"); -@mysql_select_db("phpmasterdb") - or die("failed to select database"); - switch($type) { case 'single': if (!checkdate($smonth, $sday, $syear)) -- PHP Webmaster List Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
