We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
There's a SQL Injection possiblity because $_GET['report'] isn't validated to be numeric or escaped.
echo tmpl_page( "" .tmpl_reportList($allowed_reports) .tmpl_reportData( (isset($_GET["report"]) ? $_GET["report"] : false ), $allowed_reports ) ); if (!$reportnumber) { return ""; } $sql = "SELECT * FROM rptrecord where serial = $reportnumber";
I'd suggest adding validation:
if(isset($_GET['report']) && is_numeric($_GET['report'])){ $reportid=$_GET['report']; }elseif(!isset($_GET['report'])){ $reportid=false; }else{ die('Invalid Report ID'); } // Generate Page with report list and report data (if a report is selected). echo tmpl_page( "" .tmpl_reportList($allowed_reports) .tmpl_reportData( $reportid, $allowed_reports ) );
Patch attached. dmarcts-report-viewer.txt
The text was updated successfully, but these errors were encountered:
Added patch provided in Issue #3
64ddc06
Thanks for the suggestion and the patch! The patch has been applied and posted!
Sorry, something went wrong.
Merge pull request #3 from lwt-pressy/beautyfy
a747293
a bit fancy stuff and make domain selectable
No branches or pull requests
There's a SQL Injection possiblity because $_GET['report'] isn't validated to be numeric or escaped.
I'd suggest adding validation:
Patch attached.
dmarcts-report-viewer.txt
The text was updated successfully, but these errors were encountered: