mirror of
https://github.com/Piwigo/Piwigo.git
synced 2026-07-06 01:42:29 +02:00
merge r2483 from branch 1.7
- security fix : when conf['question_mark_in_urls']=true , $_SERVER['PATH_INFO'] was not sanitized against sql injection - mysql errors are now dumped using trigger_error instead of echo and die -> allow admins to see later on if someone tries funny stuff git-svn-id: http://piwigo.org/svn/trunk@2484 68402e56-0260-453c-a942-63ccdbb3a9ee
This commit is contained in:
@@ -98,6 +98,10 @@ if( !get_magic_quotes_gpc() )
|
||||
@reset($_COOKIE);
|
||||
}
|
||||
}
|
||||
if ( !empty($_SERVER["PATH_INFO"]) )
|
||||
{
|
||||
$_SERVER["PATH_INFO"] = addslashes($_SERVER["PATH_INFO"]);
|
||||
}
|
||||
|
||||
//
|
||||
// Define some basic configuration arrays this also prevents malicious
|
||||
@@ -138,10 +142,8 @@ include(PHPWG_ROOT_PATH . 'include/functions.inc.php');
|
||||
include(PHPWG_ROOT_PATH . 'include/template.class.php');
|
||||
|
||||
// Database connection
|
||||
mysql_connect( $cfgHote, $cfgUser, $cfgPassword )
|
||||
or die ( "Could not connect to database server" );
|
||||
mysql_select_db( $cfgBase )
|
||||
or die ( "Could not connect to database" );
|
||||
@mysql_connect( $cfgHote, $cfgUser, $cfgPassword ) or my_error( 'mysql_connect', true );
|
||||
@mysql_select_db( $cfgBase ) or my_error( 'mysql_select_db', true );
|
||||
|
||||
defined('PWG_CHARSET') and defined('DB_CHARSET')
|
||||
or die('PWG_CHARSET and/or DB_CHARSET is not defined');
|
||||
|
||||
Reference in New Issue
Block a user