AS1024/itflow
1
0
Fork 0
mirror of https://github.com/itflow-org/itflow synced 2026-03-01 11:24:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

Small edit to the way contact passwords are set - potential SQL injection issue

Browse Source
This commit is contained in:
Marcus Hill
2022-09-18 19:14:15 +01:00
parent 5d2e64515b
commit 1fe8a45dc6
1 changed files with 2 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
post.php
View File

@@ -3999,7 +3999,6 @@ if(isset($_POST['edit_contact'])){
$notes = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['notes']))); $notes = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['notes'])));
$location_id = intval($_POST['location']); $location_id = intval($_POST['location']);
$auth_method = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['auth_method']))); $auth_method = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['auth_method'])));
$password = $_POST['contact_password'];
$existing_file_name = strip_tags(mysqli_real_escape_string($mysqli,$_POST['existing_file_name'])); $existing_file_name = strip_tags(mysqli_real_escape_string($mysqli,$_POST['existing_file_name']));
@@ -4015,8 +4014,8 @@ if(isset($_POST['edit_contact'])){
} }
// Set password // Set password
if(!empty($password)){ if(!empty($_POST['contact_password'])){
$password_hash = password_hash($password, PASSWORD_DEFAULT); $password_hash = mysqli_real_escape_string($mysqli,password_hash($_POST['contact_password'], PASSWORD_DEFAULT));
mysqli_query($mysqli, "UPDATE contacts SET contact_password_hash = '$password_hash' WHERE contact_client_id = '$client_id'"); mysqli_query($mysqli, "UPDATE contacts SET contact_password_hash = '$password_hash' WHERE contact_client_id = '$client_id'");
} }