AS1024
/
itflow
mirror of https://github.com/itflow-org/itflow
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #417 from wrongecho/security-fixes 

Security fixes
This commit is contained in:
Johnny 2022-03-28 16:26:59 -04:00 committed by GitHub
parent 1d09562606 9a183774cb
commit 5509f73e82
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
post.php
View File

@ -509,7 +509,7 @@ if(isset($_POST['add_company'])){
mysqli_query($mysqli,"INSERT INTO companies SET company_name = '$name', company_address = '$address', company_city = '$city', company_state = '$state', company_zip = '$zip', company_country = '$country', company_phone = '$phone', company_email = '$email', company_website = '$website', company_locale = '$locale', company_currency = '$currency_code',company_created_at = NOW()");
$company_id = mysqli_insert_id($mysqli);
$config_base_url = $_SERVER['HTTP_HOST'] . dirname($_SERVER['REQUEST_URI']);
$config_base_url = mysqli_real_escape_string($mysqli,$_SERVER['HTTP_HOST'] . dirname($_SERVER['REQUEST_URI']));
$config_api_key = keygen();
mkdir("uploads/clients/$company_id");
@ -6804,6 +6804,7 @@ if(isset($_GET['delete_file'])){
$sql_file = mysqli_query($mysqli,"SELECT * FROM files WHERE file_id = $file_id AND company_id = $session_company_id");
$row = mysqli_fetch_array($sql_file);
$client_id = $row['file_client_id'];
$file_name = $row['file_name'];
$file_reference_name = $row['file_reference_name'];
unlink("uploads/clients/$session_company_id/$client_id/$file_reference_name");

2
setup.php
View File

@ -923,7 +923,7 @@ if(isset($_POST['add_company_settings'])){
mysqli_query($mysqli,"INSERT INTO companies SET company_name = '$name', company_address = '$address', company_city = '$city', company_state = '$state', company_zip = '$zip', company_country = '$country', company_phone = '$phone', company_email = '$email', company_website = '$website', company_locale = '$locale', company_currency = '$currency_code', company_created_at = NOW()");
$company_id = mysqli_insert_id($mysqli);
$config_base_url = $_SERVER['HTTP_HOST'] . dirname($_SERVER['REQUEST_URI']);
$config_base_url = mysqli_real_escape_string($mysqli,$_SERVER['HTTP_HOST'] . dirname($_SERVER['REQUEST_URI']));
mkdir_missing("uploads/clients/$company_id");
file_put_contents("uploads/clients/$company_id/index.php", "");