Permalink
Browse files

MDL-15184: fix sql injection vulnerability

  • Loading branch information...
1 parent d0356e7 commit 680c8b87e9d0c5c0c62415baffcd79c9dccf90cc gbateson committed Jul 1, 2008
Showing with 9 additions and 5 deletions.
  1. +9 −5 mod/hotpot/report.php
View
@@ -380,18 +380,22 @@ function hotpot_delete_selected_attempts(&$hotpot, $del) {
$select = "hotpot='$hotpot->id' AND status=".HOTPOT_STATUS_ABANDONED;
break;
case 'selection':
- $ids = (array)data_submitted();
- unset($ids['del']);
- unset($ids['id']);
- if (!empty($ids)) {
+ $ids = array();
+ $data = (array)data_submitted();
+ foreach ($data as $name => $value) {
+ if (preg_match('/^box\d+$/', $name)) {
+ $ids[] = intval($value);
+ }
+ }
+ if (count($ids)) {
$select = "hotpot='$hotpot->id' AND clickreportid IN (".implode(',', $ids).")";
}
break;
}
// delete attempts using $select, if it is set
if ($select) {
-
+
$table = 'hotpot_attempts';
if ($attempts = get_records_select($table, $select)) {

0 comments on commit 680c8b8

Please sign in to comment.