claunia/qemudb
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Security fixes. Ensure that numeric values are actually numeric using is_numeric

Browse Source 
so users can't login as admin by passing in non-numeric values.
This commit is contained in:
Jonathan Ernst
2005-03-23 23:56:38 +00:00
committed by WineHQ
parent d4bde62c23
commit 06ea1b6d3d
6 changed files with 8 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
include/user.php
View File

@@ -22,7 +22,7 @@ class User {
function User($iUserId="")
{
$this->sRealname = "an anonymous user";
if($iUserId)
if(is_numeric($iUserId))
{
$sQuery = "SELECT *
FROM user_list
@@ -47,8 +47,8 @@ class User {
{
$sQuery = "SELECT *
FROM user_list
WHERE email = '".$sEmail."'
AND password = password('".$sPassword."')";
WHERE email = '".addslashes($sEmail)."'
AND password = password('".addslashes($sPassword)."')";
$hResult = query_appdb($sQuery);
$oRow = mysql_fetch_object($hResult);
$this->iUserId = $oRow->userid;