adam/Piwigo
1
0
Fork 0
mirror of https://github.com/Piwigo/Piwigo.git synced 2026-06-01 20:04:51 +02:00
Code Issues Packages Projects Releases Wiki Activity

bug 3186: improved security on search.php

Browse Source 
git-svn-id: http://piwigo.org/svn/trunk@30864 68402e56-0260-453c-a942-63ccdbb3a9ee
This commit is contained in:
plegall
2015-01-08 13:06:27 +00:00
parent 503f13db47
commit 639edaa04b
2 changed files with 7 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
search.php
+5 -4
View File
@@ -48,9 +48,8 @@ if (isset($_POST['submit']))
and !preg_match('/^\s*$/', $_POST['search_allwords']))
{
check_input_parameter('mode', $_POST, false, '/^(OR|AND)$/');
check_input_parameter('fields', $_POST, true, '/^(name|comment|file)$/');
$fields = array_intersect($_POST['fields'], array('name', 'comment', 'file'));
$drop_char_match = array(
'-','^','$',';','#','&','(',')','<','>','`','\'','"','|',',','@','_',
'?','%','~','.','[',']','{','}',':','\\','/','=','\'','!','*');
@@ -71,7 +70,7 @@ if (isset($_POST['submit']))
)
),
'mode' => $_POST['mode'],
'fields' => $fields,
'fields' => $_POST['fields'],
);
}
@@ -112,6 +111,8 @@ if (isset($_POST['submit']))
}
// dates
check_input_parameter('date_type', $_POST, false, '/^date_(creation|available)$/');
$type_date = $_POST['date_type'];
if (!empty($_POST['start_year']))
@@ -151,7 +152,7 @@ if (isset($_POST['submit']))
INSERT INTO '.SEARCH_TABLE.'
(rules, last_seen)
VALUES
(\''.serialize($search).'\', NOW())
(\''.pwg_db_real_escape_string(serialize($search)).'\', NOW())
;';
pwg_query($query);