Changeset 30865


Ignore:
Timestamp:
Jan 8, 2015, 2:09:38 PM (9 years ago)
Author:
plg
Message:

merge r30864 from trunk to branch 2.5

bug 3186: improved security on search.php

Location:
branches/2.5
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • branches/2.5/include/functions.inc.php

    r22654 r30865  
    15661566    }
    15671567
    1568     foreach ($param_value as $item_to_check)
    1569     {
    1570       if (!preg_match($pattern, $item_to_check))
     1568    foreach ($param_value as $key => $item_to_check)
     1569    {
     1570      if (!preg_match(PATTERN_ID, $key) or !preg_match($pattern, $item_to_check))
    15711571      {
    15721572        fatal_error('[Hacking attempt] an item is not valid in input parameter "'.$param_name.'"');

  • branches/2.5/search.php

    r27933 r30865  
    4949  {
    5050    check_input_parameter('mode', $_POST, false, '/^(OR|AND)$/');
    51    
     51
    5252    $drop_char_match = array(
    5353      '-','^','$',';','#','&','(',')','<','>','`','\'','"','|',',','@','_',
     
    106106
    107107  // dates
     108  check_input_parameter('date_type', $_POST, false, '/^date_(creation|available)$/');
     109 
    108110  $type_date = $_POST['date_type'];
    109111
     
    145147  (rules, last_seen)
    146148  VALUES
    147   (\''.serialize($search).'\', NOW())
     149  (\''.pwg_db_real_escape_string(serialize($search)).'\', NOW())
    148150;';
    149151    pwg_query($query);
Note: See TracChangeset for help on using the changeset viewer.