Commit: 41e4d4aff29ccbf0ab3ac756e344d73ba1f4e0c2 Author: kovacs.ferenc <[email protected]> Wed, 11 Jun 2014 12:50:39 +0200 Parents: d3839097c4b2bfa614ba87db07fb579102003fb0 Branches: master
Link: http://git.php.net/?p=web/master.git;a=commitdiff;h=41e4d4aff29ccbf0ab3ac756e344d73ba1f4e0c2 Log: introduce a whitelist for the order param Changed paths: M manage/event.php Diff: diff --git a/manage/event.php b/manage/event.php index 7d715d7..be186ac 100644 --- a/manage/event.php +++ b/manage/event.php @@ -32,7 +32,7 @@ if($id) $id = (int)$id; if ($id && $action) { switch ($action) { case 'approve': - if (db_query("UPDATE phpcal SET approved=1,app_by='$cuser' WHERE id=$id") + if (db_query("UPDATE phpcal SET approved=1,app_by='".real_clean($cuser)."' WHERE id=$id") && mysql_affected_rows()) { $event = fetch_event($id); $message = "This event has been approved. It will appear on the PHP website shortly."; @@ -231,6 +231,9 @@ $limit = "LIMIT $begin,$max"; $orderby=""; $forward = filter_input(INPUT_GET, "forward", FILTER_VALIDATE_INT) ?: 0; if ($order) { + if (!in_array($order, array('sdato', 'sdesc', 'email', 'country', 'category'))) { + $order = 'sdato'; + } if ($forward) { $ext = "ASC"; } else { -- PHP Webmaster List Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
