Project

General

Profile

« Previous | Next » 

Revision 656

Added by thorn almost 17 years ago

Added some missing add_slashes(), get_post_escaped(), and strip_tags() for $_POST, $_GET and $_REQUEST-data. Also for $_SERVER['PHP_SELF'].

View differences:

view.php
124 124 

  		




  125
  125
  
    
// Add form starter code


  		




  126
  126
  
    
?>


  		




  127
  
  
    
<form name="form" onsubmit="return formCheck(this);" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">


  		




  
  127
  
    
<form name="form" onsubmit="return formCheck(this);" action="<?php echo htmlspecialchars(strip_tags($_SERVER['PHP_SELF'])); ?>" method="post">


  		




  128
  128
  
    
<input type="hidden" name="submission_id" value="<?php echo $_SESSION['form_submission_id']; ?>" />


  		




  129
  129
  
    
<?php


  		




  130
  130
  
    

  		




  ......




  338
  338
  
    
			$email_from = $fetch_settings['email_from'];


  		




  339
  339
  
    
			if(substr($email_from, 0, 5) == 'field') {


  		




  340
  340
  
    
				// Set the email from field to what the user entered in the specified field


  		




  341
  
  
    
				$email_from = $wb->add_slashes($_POST[$email_from]);


  		




  
  341
  
    
				$email_from = htmlspecialchars($wb->add_slashes($_POST[$email_from]));


  		




  342
  342
  
    
			}


  		




  343
  343
  
    
			$email_fromname = $fetch_settings['email_fromname'];


  		




  344
  344
  
    
			$email_subject = $fetch_settings['email_subject'];


  		




  ......




  346
  346
  
    
			$success_email_to = $fetch_settings['success_email_to'];


  		




  347
  347
  
    
			if(substr($success_email_to, 0, 5) == 'field') {


  		




  348
  348
  
    
				// Set the success_email to field to what the user entered in the specified field


  		




  349
  
  
    
				$success_email_to = $wb->add_slashes($_POST[$success_email_to]);


  		




  
  349
  
    
				$success_email_to = htmlspecialchars($wb->add_slashes($_POST[$success_email_to]));


  		




  350
  350
  
    
			}


  		




  351
  351
  
    
			$success_email_from = $fetch_settings['success_email_from'];


  		




  352
  352
  
    
			$success_email_fromname = $fetch_settings['success_email_fromname'];


  		




  ......




  384
  384
  
    
				// Add to message body


  		




  385
  385
  
    
				if($field['type'] != '') {


  		




  386
  386
  
    
					if(!empty($_POST['field'.$field['field_id']])) {


  		




  387
  
  
    
						if(isset($captcha_error)) $_SESSION['field'.$field['field_id']] = $_POST['field'.$field['field_id']];


  		




  
  387
  
    
						if(isset($captcha_error)) $_SESSION['field'.$field['field_id']] = htmlspecialchars($_POST['field'.$field['field_id']]);


  		




  388
  388
  
    
						if($field['type'] == 'email' AND $admin->validate_email($_POST['field'.$field['field_id']]) == false) {


  		




  389
  389
  
    
							$email_error = $MESSAGE['USERS']['INVALID_EMAIL'];


  		




  390
  390
  
    
						}


  		












Also available in:  Unified diff