Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix SQL injection in admin/messages/reporters #653
  • Loading branch information
rjmackay committed Jul 2, 2012
1 parent a11d43c commit e0e2b66
Showing 1 changed file with 18 additions and 21 deletions.
39 changes: 18 additions & 21 deletions application/controllers/admin/messages/reporters.php
Expand Up @@ -33,27 +33,6 @@ public function index($service_id = 1)
$this->template->content = new View('admin/reporters/main');
$this->template->content->title = Kohana::lang('ui_admin.reporters');

$filter = "1=1";
$search_type = "";
$keyword = "";
// Get Search Type (If Any)
if ($service_id)
{
$search_type = $service_id;
$filter .= " AND (service_id='".$service_id."')";
}
else
{
$search_type = "0";
}

// Get Search Keywords (If Any)
if (isset($_GET['k']) AND !empty($_GET['k']))
{
$keyword = $_GET['k'];
$filter .= " AND (service_account LIKE'%".$_GET['k']."%')";
}

// setup and initialize form field names
$form = array
(
Expand Down Expand Up @@ -181,6 +160,24 @@ public function index($service_id = 1)
}
}

// Start building query
$filter = '1=1 ';

// Default search type to service id
$search_type = ( isset($_GET['s']) ) ? intval($_GET['s']) : intval($service_id);
if ($search_type > 0)
{
$filter .= 'AND service_id = '.intval($search_type).' ';
}

// Get Search Keywords (If Any)
$keyword = '';
if (isset($_GET['k']) AND !empty($_GET['k']))
{
$keyword = $_GET['k'];
$filter .= 'AND service_account LIKE \'%'.Database::instance()->escape_str($_GET['k']).'%\' ';
}

// Pagination
$pagination = new Pagination(array(
'query_string' => 'page',
Expand Down

0 comments on commit e0e2b66

Please sign in to comment.