Permalink
Browse files

Escaping the email in register.php. This isn't actually required as i…

…f is_valid_email() returns false the query will not be ran, and is_valid_email() will not validate an email that contains a single quote.

I decided to escape this anyway for consistency, and if nothing else, others using the code may not realize that is_valid_email must not allow single quotes for security reasons.
  • Loading branch information...
reines committed Sep 7, 2009
1 parent d407080 commit be2c490d1fbe1acec765489412b91d19b5b94def
Showing with 2 additions and 2 deletions.
  1. +2 −2 upload/register.php
View
@@ -163,7 +163,7 @@
// Check if someone else already has registered with that e-mail address
$dupe_list = array();
$result = $db->query('SELECT username FROM '.$db->prefix.'users WHERE email=\''.$email1.'\'') or error('Unable to fetch user info', __FILE__, __LINE__, $db->error());
$result = $db->query('SELECT username FROM '.$db->prefix.'users WHERE email=\''.$db->escape($email1).'\'') or error('Unable to fetch user info', __FILE__, __LINE__, $db->error());
if ($db->num_rows($result))
{
if ($pun_config['p_allow_dupe_email'] == '0')
@@ -196,7 +196,7 @@
$password_hash = pun_hash($password1);
// Add the user
$db->query('INSERT INTO '.$db->prefix.'users (username, group_id, password, email, email_setting, save_pass, timezone, language, style, registered, registration_ip, last_visit) VALUES(\''.$db->escape($username).'\', '.$intial_group_id.', \''.$password_hash.'\', \''.$email1.'\', '.$email_setting.', '.$save_pass.', '.$timezone.' , \''.$db->escape($language).'\', \''.$pun_config['o_default_style'].'\', '.$now.', \''.get_remote_address().'\', '.$now.')') or error('Unable to create user', __FILE__, __LINE__, $db->error());
$db->query('INSERT INTO '.$db->prefix.'users (username, group_id, password, email, email_setting, save_pass, timezone, language, style, registered, registration_ip, last_visit) VALUES(\''.$db->escape($username).'\', '.$intial_group_id.', \''.$password_hash.'\', \''.$db->escape($email1).'\', '.$email_setting.', '.$save_pass.', '.$timezone.' , \''.$db->escape($language).'\', \''.$pun_config['o_default_style'].'\', '.$now.', \''.get_remote_address().'\', '.$now.')') or error('Unable to create user', __FILE__, __LINE__, $db->error());
$new_uid = $db->insert_id();

0 comments on commit be2c490

Please sign in to comment.