From 9e9bb50db0b36b8525a36b67aed1e17ada9137c7 Mon Sep 17 00:00:00 2001
From: johnnyq <johnny@pittpc.com>
Date: Sun, 12 Dec 2021 01:22:39 -0500
Subject: [PATCH] Fixed a SQL injection could only work if you had a login
 thanks disclosure5 for pointing this out from reddit/r/msp

---
 logs.php | 2 +-
 post.php | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/logs.php b/logs.php
index 40b6170a..459e6ea6 100644
--- a/logs.php
+++ b/logs.php
@@ -135,7 +135,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
     </form>
     <hr>
     <div class="table-responsive">
-      <table class="table table-striped table-borderless table-hover">
+      <table class="table table-sm table-striped table-borderless table-hover">
         <thead class="text-dark <?php if($num_rows[0] == 0){ echo "d-none"; } ?>">
           <tr>
             <th><a class="text-dark" href="?<?php echo $url_query_strings_sb; ?>&sb=log_created_at&o=<?php echo $disp; ?>">Timestamp</a></th>
diff --git a/post.php b/post.php
index 7ca63de0..da65492b 100644
--- a/post.php
+++ b/post.php
@@ -251,7 +251,7 @@ if(isset($_POST['edit_profile'])){
 if(isset($_POST['edit_user_companies'])){
 
     $user_id = intval($_POST['user_id']);
-    $companies = $_POST['companies'];
+    $companies = mysqli_real_escape_string($_POST['companies']);
     
     //Turn the Array into a string with , seperation
     $companies_imploded = implode(",",$companies);
@@ -270,7 +270,7 @@ if(isset($_POST['edit_user_companies'])){
 if(isset($_POST['edit_user_clients'])){
 
     $user_id = intval($_POST['user_id']);
-    $clients = $_POST['clients'];
+    $clients = mysqli_real_escape_string($_POST['clients']);
     
     //Turn the Array into a string with , seperation
     $clients_imploded = implode(",",$clients);