adam/Piwigo
1
0
Fork 0
mirror of https://github.com/Piwigo/Piwigo.git synced 2026-06-02 04:15:05 +02:00
Code Issues Packages Projects Releases Wiki Activity

merge r4752 from branch 2.0 to trunk

Browse Source 
bug 1401 fixed: let's use the mysql_real_escape_string on POST fields (even if
I was not able to reproduce any attack because fields are heavily processed
before any SQL query).


git-svn-id: http://piwigo.org/svn/trunk@4753 68402e56-0260-453c-a942-63ccdbb3a9ee
This commit is contained in:
plegall
2010-01-26 09:20:10 +00:00
parent 09019e8bc1
commit f107f5bf1a
1 changed files with 12 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
search.php
+12
View File
@@ -35,6 +35,14 @@ $errors = array();
$search = array(); $search = array();
if (isset($_POST['submit'])) if (isset($_POST['submit']))
{ {
foreach ($_POST as $post_key => $post_value)
{
if (!is_array($post_value))
{
$_POST[$post_key] = mysql_real_escape_string($post_value);
}
}
if (isset($_POST['search_allwords']) if (isset($_POST['search_allwords'])
and !preg_match('/^\s*$/', $_POST['search_allwords'])) and !preg_match('/^\s*$/', $_POST['search_allwords']))
{ {
@@ -63,6 +71,8 @@ if (isset($_POST['submit']))
if (isset($_POST['tags'])) if (isset($_POST['tags']))
{ {
check_input_parameter('tags', $_POST['tags'], true, PATTERN_ID);
$search['fields']['tags'] = array( $search['fields']['tags'] = array(
'words' => $_POST['tags'], 'words' => $_POST['tags'],
'mode' => $_POST['tag_mode'], 'mode' => $_POST['tag_mode'],
@@ -82,6 +92,8 @@ if (isset($_POST['submit']))
if (isset($_POST['cat'])) if (isset($_POST['cat']))
{ {
check_input_parameter('cat', $_POST['cat'], true, PATTERN_ID);
$search['fields']['cat'] = array( $search['fields']['cat'] = array(
'words' => $_POST['cat'], 'words' => $_POST['cat'],
'sub_inc' => ($_POST['subcats-included'] == 1) ? true : false, 'sub_inc' => ($_POST['subcats-included'] == 1) ? true : false,