From 6897af23e0557e693842317200e58d77f59dc39e Mon Sep 17 00:00:00 2001
From: Tony Lambregts <tony_lambregts@telusplanet.net>
Date: Sat, 8 Jan 2005 18:38:29 +0000
Subject: [PATCH] Security fix for user->create

---
 include/user.php | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/include/user.php b/include/user.php
index d83b81d..e63b860 100644
--- a/include/user.php
+++ b/include/user.php
@@ -120,11 +120,20 @@ class User {
      */
     function create($username, $password, $realname, $email, $CVSrelease)
     {
-        $result = mysql_query("INSERT INTO user_list VALUES ( NOW(), 0, ".
-                              "'$username', password('$password'), ".
-                              "'$realname', '$email', NOW(), 0, 0, '$CVSrelease')");
-        if(!$result)
+        $aInsert = compile_insert_string(array( 'username' => $username,
+                                                'realname' => $realname,
+                                                'email' => $email,
+                                                'status' => 0,
+                                                'perm' => 0,
+                                                'CVSrelease' => $CVSrelease ));
+
+        $sFields = "({$aInsert['FIELDS']}, `password`, `stamp`, `created`)";
+        $sValues = "({$aInsert['VALUES']}, password('".$password."'), NOW(), NOW() )";
+
+        if (!query_userdb("INSERT INTO user_list $sFields VALUES $sValues"))
+        {
             return mysql_error();
+        }
         return $this->restore($username, $password);
     }