Skip to content
Permalink
Browse files Browse the repository at this point in the history
SQL Injection Fix
This would fix a Major SQL Injection Flaw. I guess the $this->db->sql_escape is the right function.
  • Loading branch information
Daniel Mota committed Oct 25, 2016
1 parent 3ed3155 commit dd8a312
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions event/listener.php
Expand Up @@ -73,11 +73,11 @@ public function list_keywords($event)
continue;
}

$sql = 'SELECT word_id FROM ' . SEARCH_WORDLIST_TABLE . ' WHERE word_text = "' . $word . '"';
$sql = 'SELECT word_id FROM ' . SEARCH_WORDLIST_TABLE . ' WHERE word_text = "' . $this->db->sql_escape($word) . '"';
$resulttemp = $this->db->sql_query($sql);
$found = ($rowtemp = $this->db->sql_fetchrow($resulttemp));

$sql = 'SELECT search_keywords, last_time FROM ' . $this->searchresults_table . ' WHERE search_keywords = "' . $word . '"';
$sql = 'SELECT search_keywords, last_time FROM ' . $this->searchresults_table . ' WHERE search_keywords = "' . $this->db->sql_escape($word) . '"';
$result = $this->db->sql_query($sql);
$used = ($row = $this->db->sql_fetchrow($result));
$this->db->sql_freeresult($result);
Expand Down

0 comments on commit dd8a312

Please sign in to comment.