Project

General

Profile

« Previous | Next » 

Revision 656

Added by thorn almost 17 years ago

Added some missing add_slashes(), get_post_escaped(), and strip_tags() for $_POST, $_GET and $_REQUEST-data. Also for $_SERVER['PHP_SELF'].

View differences:

class.admin.php
101 101
		$view_url = WB_URL;
102 102
		if(isset($_GET['page_id'])) {
103 103
			// extract page link from the database
104
			$result = @$database->query("SELECT link FROM " .TABLE_PREFIX ."pages WHERE page_id = '" .(int) $_GET['page_id'] ."'");
104
			$result = @$database->query("SELECT link FROM " .TABLE_PREFIX ."pages WHERE page_id = '" .(int) addslashes($_GET['page_id']) ."'");
105 105
			$row = @$result->fetchRow();
106 106
			if($row) $view_url .= PAGES_DIRECTORY .$row['link']. PAGE_EXTENSION;
107 107
		}
......
311 311
		if(isset($_GET['tool'])) {
312 312
			// check if displayed page contains a installed admin tool
313 313
			$result = $database->query("SELECT * FROM " .TABLE_PREFIX ."addons 
314
				WHERE type = 'module' AND function = 'tool' AND directory = '".$_GET['tool']."'");
314
				WHERE type = 'module' AND function = 'tool' AND directory = '".addslashes($_GET['tool'])."'");
315 315

  
316 316
			if($result->numRows()) {
317 317
				// check if admin tool directory contains a backend.js or backend.css file to include
......
323 323
			}
324 324
		} elseif(isset($_GET['page_id'])) {
325 325
			// check if displayed page in the backend contains a page module
326
			$page_id = (int) $_GET['page_id'];
326
			$page_id = (int) addslashes($_GET['page_id']);
327 327

  
328 328
    		// gather information for all models embedded on actual page
329 329
			$query_modules = $database->query("SELECT module FROM " .TABLE_PREFIX ."sections 

Also available in: Unified diff