AS1024
/
itflow
mirror of https://github.com/itflow-org/itflow
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SQL Escape tech username in session. The username is added to most log entries meaning that a simple apostrophe in the name breaks all logging for the user

This commit is contained in:
Marcus Hill 2023-01-02 19:22:21 +00:00
parent 019776f538
commit 24f825ca08
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
login.php
View File

@ -59,12 +59,12 @@ if(isset($_POST['login'])){
// User variables
$token = $row['user_token'];
$user_name = $row['user_name'];
$user_name = strip_tags(mysqli_real_escape_string($mysqli, $row['user_name']));
$user_id = $row['user_id'];
// Session info
$_SESSION['user_id'] = $row['user_id'];
$_SESSION['user_name'] = $row['user_name'];
$_SESSION['user_id'] = $user_id;
$_SESSION['user_name'] = $user_name;
$_SESSION['user_role'] = $row['user_role'];
$_SESSION['csrf_token'] = bin2hex(random_bytes(78));