merge r2483 from branch 1.7

- security fix : when conf['question_mark_in_urls']=true , $_SERVER['PATH_INFO'] was not sanitized against sql injection
- mysql errors are now dumped using trigger_error instead of echo and die -> allow admins to see later on if someone tries funny stuff

git-svn-id: http://piwigo.org/svn/trunk@2484 68402e56-0260-453c-a942-63ccdbb3a9ee
This commit is contained in:
rvelices
2008-08-23 01:18:13 +00:00
parent 707351a95c
commit 726529c49b
2 changed files with 27 additions and 18 deletions
+6 -4
View File
@@ -98,6 +98,10 @@ if( !get_magic_quotes_gpc() )
@reset($_COOKIE);
}
}
if ( !empty($_SERVER["PATH_INFO"]) )
{
$_SERVER["PATH_INFO"] = addslashes($_SERVER["PATH_INFO"]);
}
//
// Define some basic configuration arrays this also prevents malicious
@@ -138,10 +142,8 @@ include(PHPWG_ROOT_PATH . 'include/functions.inc.php');
include(PHPWG_ROOT_PATH . 'include/template.class.php');
// Database connection
mysql_connect( $cfgHote, $cfgUser, $cfgPassword )
or die ( "Could not connect to database server" );
mysql_select_db( $cfgBase )
or die ( "Could not connect to database" );
@mysql_connect( $cfgHote, $cfgUser, $cfgPassword ) or my_error( 'mysql_connect', true );
@mysql_select_db( $cfgBase ) or my_error( 'mysql_select_db', true );
defined('PWG_CHARSET') and defined('DB_CHARSET')
or die('PWG_CHARSET and/or DB_CHARSET is not defined');