Changeset 600

Show
Ignore:
Timestamp:
10/15/06 16:27:12 (2 years ago)
Author:
Rickard
Message:

Fixed some admin only SQL injections.

Files:

Legend:

Unmodified
Added
Removed
Modified
Copied
Moved

  • trunk/upload/admin_forums.php

    r158 r600  
    141141                        message('Position must be a positive integer value.'); 
    142142 
    143                 $db->query('UPDATE '.$db->prefix.'forums SET disp_position='.$disp_position.' WHERE id='.$forum_id) or error('Unable to update forum', __FILE__, __LINE__, $db->error()); 
     143                $db->query('UPDATE '.$db->prefix.'forums SET disp_position='.$disp_position.' WHERE id='.intval($forum_id)) or error('Unable to update forum', __FILE__, __LINE__, $db->error()); 
    144144        } 
    145145 
     
    187187                        while ($cur_group = $db->fetch_assoc($result)) 
    188188                        { 
    189                                 $read_forum_new = ($cur_group['g_read_board'] == '1') ? isset($_POST['read_forum_new'][$cur_group['g_id']]) ? $_POST['read_forum_new'][$cur_group['g_id']] : '0' : $_POST['read_forum_old'][$cur_group['g_id']]
    190                                 $post_replies_new = isset($_POST['post_replies_new'][$cur_group['g_id']]) ? $_POST['post_replies_new'][$cur_group['g_id']] : '0'; 
    191                                 $post_topics_new = isset($_POST['post_topics_new'][$cur_group['g_id']]) ? $_POST['post_topics_new'][$cur_group['g_id']] : '0'; 
     189                                $read_forum_new = ($cur_group['g_read_board'] == '1') ? isset($_POST['read_forum_new'][$cur_group['g_id']]) ? '1' : '0' : intval($_POST['read_forum_old'][$cur_group['g_id']])
     190                                $post_replies_new = isset($_POST['post_replies_new'][$cur_group['g_id']]) ? '1' : '0'; 
     191                                $post_topics_new = isset($_POST['post_topics_new'][$cur_group['g_id']]) ? '1' : '0'; 
    192192 
    193193                                // Check if the new settings differ from the old 

  • trunk/upload/admin_users.php

    r243 r600  
    258258        while (list($key, $input) = @each($form)) 
    259259        { 
    260                 if ($input != ''
     260                if ($input != '' && in_array($key, array('username', 'email', 'title', 'realname', 'url', 'jabber', 'icq', 'msn', 'aim', 'yahoo', 'location', 'signature', 'admin_note'))
    261261                        $conditions[] = 'u.'.$db->escape($key).' '.$like_command.' \''.$db->escape(str_replace('*', '%', $input)).'\''; 
    262262        } 
     
    268268 
    269269        if ($user_group != 'all') 
    270                 $conditions[] = 'u.group_id='.$db->escape($user_group); 
     270                $conditions[] = 'u.group_id='.intval($user_group); 
    271271 
    272272        if (empty($conditions))