kienan
/
AlternC
mirror of https://github.com/kienanstewart/AlternC.git
1
0
Fork 0
Code Issues Releases Wiki Activity

fixing sql injection in variables + detecting effective update (hook step 1)

This commit is contained in:
Benjamin Sonntag 2015-06-17 16:50:37 +02:00
parent 2eadec4ae0
commit ed914773d7
1 changed files with 13 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
bureau/class/variables.php
View File

@ -112,21 +112,22 @@ function variable_set($name, $value, $comment=null) {
global $conf, $db, $err; global $conf, $db, $err;
$err->log('variable', 'variable_set', '+'.serialize($value).'+'.$comment.'+'); $err->log('variable', 'variable_set', '+'.serialize($value).'+'.$comment.'+');
$conf[$name] = $value; variable_init_maybe();
if (is_object($value) || is_array($value)) { if (is_object($value) || is_array($value)) {
$value = serialize($value); $value2 = serialize($value);
} }
if (!array_key_exists($name,$conf) || $value!=$conf[$name]) {
$conf[$name] = $value;
if ( empty($comment) ) { if ( empty($comment) ) {
$query = "INSERT INTO variable (name, value) values ('".$name."', '".$value."') on duplicate key update name='$name', value='$value';"; $query = "INSERT INTO variable (name, value) values ('".$name."', '".addslashes($value2)."') on duplicate key update name='$name', value='$value';";
} else { } else {
$comment=mysql_real_escape_string($comment); $comment=mysql_real_escape_string($comment);
$query = "INSERT INTO variable (name, value, comment) values ('".$name."', '".$value."', '$comment') on duplicate key update name='$name', value='$value', comment='$comment';"; $query = "INSERT INTO variable (name, value, comment) values ('".$name."', '".addslashes($value2)."', '$comment') on duplicate key update name='$name', value='$value', comment='$comment';";
}
$db->query($query);
} }
$db->query("$query");
variable_init();
} }
/** /**