Skip to content
This repository has been archived by the owner on Feb 15, 2021. It is now read-only.
Permalink
Browse files Browse the repository at this point in the history
Some SQL injection safeguards
  • Loading branch information
lierdakil committed Sep 17, 2010
1 parent 2931923 commit 41213b6
Showing 1 changed file with 5 additions and 0 deletions.
5 changes: 5 additions & 0 deletions src/backend/include/BaseAction.php
Expand Up @@ -36,6 +36,8 @@ protected function getMessageParam($param,$err_message,$err_no) {
protected function db_query($query) {
$query=str_replace("\n","",$query);
$query=ereg_replace(" +"," ",$query);
if(strpos($query, ';') !== false)
throw new Exception("Query '$query' contains ';'!", ERR_DB);
$result = $this->mysql->query($query);
if ($result === true) {
if($this->mysql->affected_rows>0)
Expand Down Expand Up @@ -102,6 +104,9 @@ function __construct($message) {
parent::__construct($message);
$this->iid = $this->getMessageParam('iid',
"No IID provided", ERR_NO_IID);
#iid MUST be numeric. If not, it's not an IID!
if(!is_numeric($this->iid))
throw new Exception("Malformed IID '$this->iid'!", ERR_NO_IID);
}
}
?>

0 comments on commit 41213b6

Please sign in to comment.