Ignore:
Timestamp:
Feb 12, 2015, 3:29:19 PM (9 years ago)
Author:
plg
Message:

bug 3200 fixed: add input checks on admin history

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/admin/history.php

    r28587 r30948  
    7676  if (!empty($_POST['start']))
    7777  {
     78    $_POST['start'] = trim($_POST['start']);
     79    check_input_parameter('start', $_POST, false, '/^\d{4}-\d{2}-\d{2}$/');
    7880    $search['fields']['date-after'] = $_POST['start'];
    7981  }
     
    8183  if (!empty($_POST['end']))
    8284  {
     85    $_POST['end'] = trim($_POST['end']);
     86    check_input_parameter('end', $_POST, false, '/^\d{4}-\d{2}-\d{2}$/');
    8387    $search['fields']['date-before'] = $_POST['end'];
    8488  }
     
    9094  else
    9195  {
     96    check_input_parameter('types', $_POST, true, '/^('.implode('|', $types).')$/');
    9297    $search['fields']['types'] = $_POST['types'];
    9398  }
    9499
    95   $search['fields']['user'] = $_POST['user'];
     100  $search['fields']['user'] = intval($_POST['user']);
    96101
    97102  if (!empty($_POST['image_id']))
     
    118123  }
    119124
     125  check_input_parameter('display_thumbnail', $_POST, false, '/^('.implode('|', array_keys($display_thumbnails)).')$/');
     126 
    120127  $search['fields']['display_thumbnail'] = $_POST['display_thumbnail'];
    121128  // Display choise are also save to one cookie
     
    143150  (rules)
    144151  VALUES
    145   (\''.serialize($search).'\')
     152  (\''.pwg_db_real_escape_string(serialize($search)).'\')
    146153;';
     154
    147155    pwg_query($query);
    148156
Note: See TracChangeset for help on using the changeset viewer.