From 1fe8a45dc6b4b221bc0b89c0ab1e6147aca96f99 Mon Sep 17 00:00:00 2001
From: Marcus Hill <bcf8c9f2@opayq.com>
Date: Sun, 18 Sep 2022 19:14:15 +0100
Subject: [PATCH] Small edit to the way contact passwords are set - potential
 SQL injection issue

---
 post.php | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/post.php b/post.php
index d6b7594f..208b5f13 100644
--- a/post.php
+++ b/post.php
@@ -3999,7 +3999,6 @@ if(isset($_POST['edit_contact'])){
     $notes = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['notes'])));
     $location_id = intval($_POST['location']);
     $auth_method = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['auth_method'])));
-    $password = $_POST['contact_password'];
 
     $existing_file_name = strip_tags(mysqli_real_escape_string($mysqli,$_POST['existing_file_name']));
 
@@ -4015,8 +4014,8 @@ if(isset($_POST['edit_contact'])){
     }
 
     // Set password
-    if(!empty($password)){
-      $password_hash = password_hash($password, PASSWORD_DEFAULT);
+    if(!empty($_POST['contact_password'])){
+      $password_hash = mysqli_real_escape_string($mysqli,password_hash($_POST['contact_password'], PASSWORD_DEFAULT));
       mysqli_query($mysqli, "UPDATE contacts SET contact_password_hash = '$password_hash' WHERE contact_client_id = '$client_id'");
     }