AS1024
/
itflow
mirror of https://github.com/itflow-org/itflow
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Small edit to the way contact passwords are set - potential SQL injection issue

This commit is contained in:
Marcus Hill 2022-09-18 19:14:15 +01:00
parent 5d2e64515b
commit 1fe8a45dc6
1 changed files with 2 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
post.php
View File

@ -3999,7 +3999,6 @@ if(isset($_POST['edit_contact'])){
$notes = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['notes'])));
$location_id = intval($_POST['location']);
$auth_method = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['auth_method'])));
$password = $_POST['contact_password'];
$existing_file_name = strip_tags(mysqli_real_escape_string($mysqli,$_POST['existing_file_name']));
@ -4015,8 +4014,8 @@ if(isset($_POST['edit_contact'])){
}
// Set password
if(!empty($password)){
$password_hash = password_hash($password, PASSWORD_DEFAULT);
if(!empty($_POST['contact_password'])){
$password_hash = mysqli_real_escape_string($mysqli,password_hash($_POST['contact_password'], PASSWORD_DEFAULT));
mysqli_query($mysqli, "UPDATE contacts SET contact_password_hash = '$password_hash' WHERE contact_client_id = '$client_id'");
}