fixes #823 add input user check to avoid SQLi on users list

2026-03-28 17:42:57 +01:00 · 2017-12-18 14:02:52 +01:00
parent 8d25fa6e23
commit 1da9d6afc4
1 changed files with 7 additions and 5 deletions
--- a/admin/user_list_backend.php
+++ b/admin/user_list_backend.php
@@ -67,8 +67,7 @@ $sTable = USERS_TABLE.' INNER JOIN '.USER_INFOS_TABLE.' AS ui ON '.$conf['user_f
 $sLimit = "";
 if ( isset( $_REQUEST['iDisplayStart'] ) && $_REQUEST['iDisplayLength'] != '-1' )
 {
-  $sLimit = "LIMIT ".pwg_db_real_escape_string( $_REQUEST['iDisplayStart'] ).", ".
-    pwg_db_real_escape_string( $_REQUEST['iDisplayLength'] );
+  $sLimit = "LIMIT ".$_REQUEST['iDisplayStart'].", ".$_REQUEST['iDisplayLength'];
 }
 	
 	
@@ -80,10 +79,13 @@ if ( isset( $_REQUEST['iSortCol_0'] ) )
  $sOrder = "ORDER BY  ";
  for ( $i=0 ; $i<intval( $_REQUEST['iSortingCols'] ) ; $i++ )
  {
-    if ( $_REQUEST[ 'bSortable_'.intval($_REQUEST['iSortCol_'.$i]) ] == "true" )
+    check_input_parameter('iSortCol_'.$i, $_REQUEST, false, PATTERN_ID);
+
+    if ( $_REQUEST[ 'bSortable_'.$_REQUEST['iSortCol_'.$i] ] == "true" )
    {
-      $sOrder .= $aColumns[ intval( $_REQUEST['iSortCol_'.$i] ) ]."
-				 	".pwg_db_real_escape_string( $_REQUEST['sSortDir_'.$i] ) .", ";
+      check_input_parameter('sSortDir_'.$i, $_REQUEST, false, '/^(asc|desc)$/');
+
+      $sOrder .= $aColumns[ $_REQUEST['iSortCol_'.$i] ].' '.$_REQUEST['sSortDir_'.$i].', ';
    }
  }