From 68b7abe2bcddf663eefe733163ff2c0f33205609 Mon Sep 17 00:00:00 2001
From: dvz <devilshakerz@gmail.com>
Date: Sat, 19 Nov 2022 20:02:35 +0100
Subject: [PATCH] Fix ACP Users SQL injection

---
 admin/modules/user/users.php | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/admin/modules/user/users.php b/admin/modules/user/users.php
index 594cbd27e8..e7bc144f6c 100644
--- a/admin/modules/user/users.php
+++ b/admin/modules/user/users.php
@@ -3409,6 +3409,11 @@ function build_users_view($view)
 		$userfield_sql = '1=1';
 		foreach($view['custom_profile_fields'] as $column => $input)
 		{
+			if(!preg_match('/^fid[0-9]+(_blank)?$/', $column))
+			{
+				continue;
+			}
+
 			if(is_array($input))
 			{
 				foreach($input as $value => $text)