Changeset 30866


Ignore:
Timestamp:
Jan 8, 2015, 2:11:03 PM (9 years ago)
Author:
plg
Message:

merge r30864 from trunk to branch 2.6

bug 3186: improved security on search.php

Location:
branches/2.6
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • branches/2.6/include/functions.inc.php

    r27044 r30866  
    18881888    }
    18891889
    1890     foreach ($param_value as $item_to_check)
    1891     {
    1892       if (!preg_match($pattern, $item_to_check))
     1890    foreach ($param_value as $key => $item_to_check)
     1891    {
     1892      if (!preg_match(PATTERN_ID, $key) or !preg_match($pattern, $item_to_check))
    18931893      {
    18941894        fatal_error('[Hacking attempt] an item is not valid in input parameter "'.$param_name.'"');

  • branches/2.6/search.php

    r26825 r30866  
    106106
    107107  // dates
     108  check_input_parameter('date_type', $_POST, false, '/^date_(creation|available)$/');
     109 
    108110  $type_date = $_POST['date_type'];
    109111
     
    145147  (rules, last_seen)
    146148  VALUES
    147   (\''.serialize($search).'\', NOW())
     149  (\''.pwg_db_real_escape_string(serialize($search)).'\', NOW())
    148150;';
    149151    pwg_query($query);
Note: See TracChangeset for help on using the changeset viewer.