Skip to content

Commit

Permalink
MDL-15184: fix sql injection vulnerability
Browse files Browse the repository at this point in the history
  • Loading branch information
gbateson committed Jul 1, 2008
1 parent 36ea9a6 commit e5e02e4
Showing 1 changed file with 8 additions and 4 deletions.
12 changes: 8 additions & 4 deletions mod/hotpot/report.php
View file
Expand Up @@ -380,10 +380,14 @@ function hotpot_delete_selected_attempts(&$hotpot, $del) {
$select = "hotpot=:hotpotid AND status=".HOTPOT_STATUS_ABANDONED; $select = "hotpot=:hotpotid AND status=".HOTPOT_STATUS_ABANDONED;
break; break;
case 'selection': case 'selection':
$ids = (array)data_submitted(); $ids = array();
unset($ids['del']); $data = (array)data_submitted();
unset($ids['id']); foreach ($data as $name => $value) {
if (!empty($ids)) { if (preg_match('/^box\d+$/', $name)) {
$ids[] = intval($value);
}
}
if (count($ids)) {
list($ids, $idparams) = $DB->get_in_or_equal($ids, SQL_PARAMS_NAMED, 'crid0'); list($ids, $idparams) = $DB->get_in_or_equal($ids, SQL_PARAMS_NAMED, 'crid0');
$params = array_merge($params, $idparams); $params = array_merge($params, $idparams);
$select = "hotpot=:hotpotid AND clickreportid $ids"; $select = "hotpot=:hotpotid AND clickreportid $ids";
Expand Down

0 comments on commit e5e02e4

Please sign in to comment.