AS1024/itflow
1
0
Fork 0
mirror of https://github.com/itflow-org/itflow synced 2026-03-22 13:35:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

SQL Escape tech username in session. The username is added to most log entries meaning that a simple apostrophe in the name breaks all logging for the user

Browse Source
This commit is contained in:
Marcus Hill
2023-01-02 19:22:21 +00:00
parent 019776f538
commit 24f825ca08
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
login.php
View File

@@ -59,12 +59,12 @@ if(isset($_POST['login'])){
// User variables // User variables
$token = $row['user_token']; $token = $row['user_token'];
$user_name = $row['user_name']; $user_name = strip_tags(mysqli_real_escape_string($mysqli, $row['user_name']));
$user_id = $row['user_id']; $user_id = $row['user_id'];
// Session info // Session info
$_SESSION['user_id'] = $row['user_id']; $_SESSION['user_id'] = $user_id;
$_SESSION['user_name'] = $row['user_name']; $_SESSION['user_name'] = $user_name;
$_SESSION['user_role'] = $row['user_role']; $_SESSION['user_role'] = $row['user_role'];
$_SESSION['csrf_token'] = bin2hex(random_bytes(78)); $_SESSION['csrf_token'] = bin2hex(random_bytes(78));