Changeset 30948


Ignore:
Timestamp:
02/12/15 15:29:19 (5 years ago)
Author:
plg
Message:

bug 3200 fixed: add input checks on admin history

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/admin/history.php

    r28587 r30948  
    7676  if (!empty($_POST['start'])) 
    7777  { 
     78    $_POST['start'] = trim($_POST['start']); 
     79    check_input_parameter('start', $_POST, false, '/^\d{4}-\d{2}-\d{2}$/'); 
    7880    $search['fields']['date-after'] = $_POST['start']; 
    7981  } 
     
    8183  if (!empty($_POST['end'])) 
    8284  { 
     85    $_POST['end'] = trim($_POST['end']); 
     86    check_input_parameter('end', $_POST, false, '/^\d{4}-\d{2}-\d{2}$/'); 
    8387    $search['fields']['date-before'] = $_POST['end']; 
    8488  } 
     
    9094  else 
    9195  { 
     96    check_input_parameter('types', $_POST, true, '/^('.implode('|', $types).')$/'); 
    9297    $search['fields']['types'] = $_POST['types']; 
    9398  } 
    9499 
    95   $search['fields']['user'] = $_POST['user']; 
     100  $search['fields']['user'] = intval($_POST['user']); 
    96101 
    97102  if (!empty($_POST['image_id'])) 
     
    118123  } 
    119124 
     125  check_input_parameter('display_thumbnail', $_POST, false, '/^('.implode('|', array_keys($display_thumbnails)).')$/'); 
     126   
    120127  $search['fields']['display_thumbnail'] = $_POST['display_thumbnail']; 
    121128  // Display choise are also save to one cookie 
     
    143150  (rules) 
    144151  VALUES 
    145   (\''.serialize($search).'\') 
     152  (\''.pwg_db_real_escape_string(serialize($search)).'\') 
    146153;'; 
     154 
    147155    pwg_query($query); 
    148156 
Note: See TracChangeset for help on using the changeset viewer.