Changeset 4752


Ignore:
Timestamp:
01/26/10 10:13:37 (10 years ago)
Author:
plg
Message:

bug 1401 fixed: let's use the mysql_real_escape_string on POST fields (even if
I was not able to reproduce any attack because fields are heavily processed
before any SQL query).

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/2.0/search.php

    r3046 r4752  
    3636if (isset($_POST['submit'])) 
    3737{ 
     38  foreach ($_POST as $post_key => $post_value) 
     39  { 
     40    if (!is_array($post_value)) 
     41    { 
     42      $_POST[$post_key] = mysql_real_escape_string($post_value); 
     43    } 
     44  }   
     45   
    3846  if (isset($_POST['search_allwords']) 
    3947      and !preg_match('/^\s*$/', $_POST['search_allwords'])) 
     
    6472  if (isset($_POST['tags'])) 
    6573  { 
     74    check_input_parameter('tags', $_POST['tags'], true, PATTERN_ID); 
     75     
    6676    $search['fields']['tags'] = array( 
    6777      'words' => $_POST['tags'], 
     
    8393  if (isset($_POST['cat'])) 
    8494  { 
     95    check_input_parameter('cat', $_POST['cat'], true, PATTERN_ID); 
     96     
    8597    $search['fields']['cat'] = array( 
    8698      'words'   => $_POST['cat'], 
Note: See TracChangeset for help on using the changeset viewer.