Revision 656
Added by thorn almost 17 years ago
| save_comment.php | ||
|---|---|---|
| 26 | 26 |
require('../../config.php');
|
| 27 | 27 |
|
| 28 | 28 |
// Get id |
| 29 |
if(!isset($_POST['comment_id']) OR !is_numeric($_POST['comment_id'])) {
|
|
| 29 |
if(!isset($_POST['comment_id']) OR !is_numeric($_POST['comment_id']) OR !isset($_POST['post_id']) OR !is_numeric($_POST['post_id'])) {
|
|
| 30 | 30 |
header("Location: ".ADMIN_URL."/pages/index.php");
|
| 31 | 31 |
exit(0); |
| 32 | 32 |
} else {
|
| ... | ... | |
| 41 | 41 |
if($admin->get_post('title') == '' AND $admin->get_post('comment') == '') {
|
| 42 | 42 |
$admin->print_error($MESSAGE['GENERIC']['FILL_IN_ALL'], WB_URL.'/modules/news/modify_comment.php?page_id='.$page_id.'§ion_id='.$section_id.'comment_id='.$id); |
| 43 | 43 |
} else {
|
| 44 |
$title = $admin->add_slashes($admin->get_post('title'));
|
|
| 45 |
$comment = $admin->add_slashes($admin->get_post('comment'));
|
|
| 44 |
$title = strip_tags($admin->get_post_escaped('title'));
|
|
| 45 |
$comment = strip_tags($admin->get_post_escaped('comment'));
|
|
| 46 | 46 |
$post_id = $admin->get_post('post_id');
|
| 47 | 47 |
} |
| 48 | 48 |
|
Also available in: Unified diff
Added some missing add_slashes(), get_post_escaped(), and strip_tags() for $_POST, $_GET and $_REQUEST-data. Also for $_SERVER['PHP_SELF'].