iarv/Piwigo
1
0
Fork 0
mirror of https://github.com/Piwigo/Piwigo.git synced 2026-05-03 12:02:51 +02:00
Code Issues Packages Projects Releases Wiki Activity

fixed #1802 fixed double escape for user creation, album creation and comments

Browse Source
This commit is contained in:
Matthieu Leproux
2022-11-22 16:01:32 +01:00
parent 6278be093a
commit 32ea1aef53
3 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
include/functions_comment.inc.php
View File

@@ -214,10 +214,10 @@ SELECT count(1) FROM '.COMMENTS_TABLE.'
INSERT INTO '.COMMENTS_TABLE.' INSERT INTO '.COMMENTS_TABLE.'
(author, author_id, anonymous_id, content, date, validated, validation_date, image_id, website_url, email) (author, author_id, anonymous_id, content, date, validated, validation_date, image_id, website_url, email)
VALUES ( VALUES (
\''.pwg_db_real_escape_string($comm['author']).'\', \''.$comm['author'].'\',
'.$comm['author_id'].', '.$comm['author_id'].',
\''.$comm['ip'].'\', \''.$comm['ip'].'\',
\''.pwg_db_real_escape_string($comm['content']).'\', \''.$comm['content'].'\',
NOW(), NOW(),
\''.($comment_action=='validate' ? 'true':'false').'\', \''.($comment_action=='validate' ? 'true':'false').'\',
'.($comment_action=='validate' ? 'NOW()':'NULL').', '.($comment_action=='validate' ? 'NOW()':'NULL').',

2
include/functions_user.inc.php
View File

@@ -173,7 +173,7 @@ function register_user($login, $password, $mail_address, $notify_admin=true, &$e
if (empty($errors)) if (empty($errors))
{ {
$insert = array( $insert = array(
$conf['user_fields']['username'] => pwg_db_real_escape_string($login), $conf['user_fields']['username'] => $login,
$conf['user_fields']['password'] => $conf['password_hash']($password), $conf['user_fields']['password'] => $conf['password_hash']($password),
$conf['user_fields']['email'] => $mail_address $conf['user_fields']['email'] => $mail_address
); );

2
include/ws_functions/pwg.categories.php
View File

@@ -648,7 +648,7 @@ function ws_categories_add($params, &$service)
$options['comment'] = strip_tags($params['comment']); $options['comment'] = strip_tags($params['comment']);
} }
$params['name'] = pwg_db_real_escape_string($params['name']); $params['name'] = $params['name'];
$creation_output = create_virtual_category( $creation_output = create_virtual_category(
strip_tags($params['name']), // TODO do not strip tags if pwg_token is provided (and valid) strip_tags($params['name']), // TODO do not strip tags if pwg_token is provided (and valid)
$params['parent'], $params['parent'],