Changeset 30864
- Timestamp:
- Jan 8, 2015, 2:06:27 PM (9 years ago)
- Location:
- trunk
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/include/functions.inc.php
r29665 r30864 1878 1878 } 1879 1879 1880 foreach ($param_value as $ item_to_check)1881 { 1882 if (!preg_match( $pattern, $item_to_check))1880 foreach ($param_value as $key => $item_to_check) 1881 { 1882 if (!preg_match(PATTERN_ID, $key) or !preg_match($pattern, $item_to_check)) 1883 1883 { 1884 1884 fatal_error('[Hacking attempt] an item is not valid in input parameter "'.$param_name.'"'); -
trunk/search.php
r29554 r30864 49 49 { 50 50 check_input_parameter('mode', $_POST, false, '/^(OR|AND)$/'); 51 52 $fields = array_intersect($_POST['fields'], array('name', 'comment', 'file')); 53 51 check_input_parameter('fields', $_POST, true, '/^(name|comment|file)$/'); 52 54 53 $drop_char_match = array( 55 54 '-','^','$',';','#','&','(',')','<','>','`','\'','"','|',',','@','_', … … 72 71 ), 73 72 'mode' => $_POST['mode'], 74 'fields' => $ fields,73 'fields' => $_POST['fields'], 75 74 ); 76 75 } … … 113 112 114 113 // dates 114 check_input_parameter('date_type', $_POST, false, '/^date_(creation|available)$/'); 115 115 116 $type_date = $_POST['date_type']; 116 117 … … 152 153 (rules, last_seen) 153 154 VALUES 154 (\''. serialize($search).'\', NOW())155 (\''.pwg_db_real_escape_string(serialize($search)).'\', NOW()) 155 156 ;'; 156 157 pwg_query($query);
Note: See TracChangeset
for help on using the changeset viewer.