Revision 713
Added by thorn over 17 years ago
| search.php | ||
|---|---|---|
| 83 | 83 |
$search_path_SQL = ""; |
| 84 | 84 |
$search_path = ""; |
| 85 | 85 |
if(isset($_REQUEST['search_path'])) {
|
| 86 |
$search_path = $wb->add_slashes(strip_tags($_REQUEST['search_path'])); |
|
| 86 |
$search_path = $wb->add_slashes($_REQUEST['search_path']); |
|
| 87 |
if(preg_match('/[\'"=()&+\\\\]/', $search_path))
|
|
| 88 |
$search_path = ''; |
|
| 87 | 89 |
if($search_path != '') {
|
| 88 | 90 |
$search_path_SQL = "AND ( "; |
| 89 | 91 |
$not = ""; |
Also available in: Unified diff
fixed possible(?) XSS-attack in search.php.