iarv/Piwigo
1
0
Fork 0
mirror of https://github.com/Piwigo/Piwigo.git synced 2026-05-03 12:02:51 +02:00
Code Issues Packages Projects Releases Wiki Activity

fixes #1967 POST/GET input are already escaped

Browse Source
This commit is contained in:
plegall
2023-08-23 18:56:08 +02:00
parent 407cabcbe9
commit ab111cdbe2
1 changed files with 12 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
include/ws_functions/pwg.tags.php
View File

@@ -288,7 +288,7 @@ function ws_tags_rename($params, &$service)
} }
$tag_id = $params['tag_id']; $tag_id = $params['tag_id'];
$tag_name = $params['new_name']; $tag_name = strip_tags(stripslashes($params['new_name']));
// does the tag exist ? // does the tag exist ?
$query = ' $query = '
@@ -318,7 +318,7 @@ SELECT name
else if (!empty($tag_name)) else if (!empty($tag_name))
{ {
$update = array( $update = array(
'name' => addslashes($tag_name), 'name' => pwg_db_real_escape_string($tag_name),
'url_name' => trigger_change('render_tag_url', $tag_name), 'url_name' => trigger_change('render_tag_url', $tag_name),
); );
@@ -332,11 +332,16 @@ SELECT name
array('id' => $tag_id) array('id' => $tag_id)
); );
return array( $query = '
'id' => $tag_id, SELECT
'name' => addslashes($tag_name), id,
'url_name' => trigger_change('render_tag_url', $tag_name) name,
); url_name
FROM '.TAGS_TABLE.'
WHERE id = '.$tag_id.'
;';
return query2array($query)[0];
} }