AS1024
/
itflow
mirror of https://github.com/itflow-org/itflow
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fixed password issue causing SQL escape characters to add slashes remove mysqli_real_escape_string as its not needs, md5 produces no sql escape characters by default so it it does not need santized

This commit is contained in:
johnny@pittpc.com 2019-09-24 14:52:53 -04:00
parent 37270183c5
commit bc61b59244
3 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
login.php
View File

@ -25,7 +25,7 @@ session_start();
if(isset($_POST['login'])){
$email = mysqli_real_escape_string($mysqli,$_POST['email']);
$password = md5(mysqli_real_escape_string($mysqli,$_POST['password']));
$password = md5($_POST['password']);
$current_code = mysqli_real_escape_string($mysqli,$_POST['current_code']);
$sql = mysqli_query($mysqli,"SELECT * FROM users WHERE email = '$email' AND password = '$password'");

6
post.php
View File

@ -17,7 +17,7 @@ if(isset($_POST['add_user'])){
$name = strip_tags(mysqli_real_escape_string($mysqli,$_POST['name']));
$email = strip_tags(mysqli_real_escape_string($mysqli,$_POST['email']));
$password = md5(mysqli_real_escape_string($mysqli,$_POST['password']));
$password = md5($_POST['password']);
$client_id = intval($_POST['client']);
mysqli_query($mysqli,"INSERT INTO users SET name = '$name', email = '$email', password = '$password', avatar = '$path', created_at = NOW(), client_id = $client_id");
@ -55,8 +55,8 @@ if(isset($_POST['edit_user'])){
$user_id = intval($_POST['user_id']);
$name = strip_tags(mysqli_real_escape_string($mysqli,$_POST['name']));
$email = strip_tags(mysqli_real_escape_string($mysqli,$_POST['email']));
$current_password_hash = mysqli_real_escape_string($mysqli,$_POST['current_password_hash']);
$password = mysqli_real_escape_string($mysqli,$_POST['password']);
$current_password_hash = $_POST['current_password_hash'];
$password = $_POST['password'];
if($current_password_hash == $password){
$password = $current_password_hash;
}else{

2
setup.php
View File

@ -132,7 +132,7 @@ if(isset($_POST['add_user'])){
$name = strip_tags(mysqli_real_escape_string($mysqli,$_POST['name']));
$email = strip_tags(mysqli_real_escape_string($mysqli,$_POST['email']));
$password = md5(mysqli_real_escape_string($mysqli,$_POST['password']));
$password = md5($_POST['password']);
mysqli_query($mysqli,"INSERT INTO users SET name = '$name', email = '$email', password = '$password', created_at = NOW()");