Skip to content
Permalink
Browse files Browse the repository at this point in the history
Security update to thwart SQL injection (previously, magic_quotes_gpc…
… was saving us)
  • Loading branch information
JohnBOren authored and JohnBOren committed Jan 11, 2010
1 parent aca1619 commit 26829bb
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 1 deletion.
3 changes: 2 additions & 1 deletion OpenSiteAdmin/scripts/classes/Field.php
Expand Up @@ -203,7 +203,7 @@ function getTitle($isList=false) {
* @return MIXED Current field value.
*/
function getValue() {
$ret = $this->value;
$ret = SecurityManager::formPrep($this->value);
if(empty($ret)) {
return $this->default;
}
Expand Down Expand Up @@ -271,6 +271,7 @@ function isSilent() {
* @return BOOLEAN False if any error were encountered.
*/
protected function postProcess($value) {
$value = SecurityManager::SQLPrep($value);
$this->setValue($value);
return true;
}
Expand Down
2 changes: 2 additions & 0 deletions OpenSiteAdmin/scripts/classes/LoginManager.php
Expand Up @@ -68,6 +68,8 @@ class LoginManager {
* @return INTEGER One of the error code constants defined in this class.
*/
function login($user, $pass, $remember="no", $isCookie=false) {
$user = htmlspecialchars(addslashes($user));
$pass = htmlspecialchars(addslashes($pass));
$sql = "select `users`.*, `libraries`.`interTOME` from `users` JOIN `libraries` ON `users`.`libraryID` = `libraries`.`ID` where `username` LIKE '$user'";
$result = DatabaseManager::checkError($sql);
if(DatabaseManager::getNumResults($result) === 0) {
Expand Down

0 comments on commit 26829bb

Please sign in to comment.