fix: security patching due to mysql injection vulnerabilities everywhere

2026-06-28 00:24:23 +00:00 · 2017-10-17 12:21:41 +02:00
parent 74cccb2a74
commit 1654ce498f
10 changed files with 694 additions and 12 deletions
@@ -139,7 +139,7 @@ class Account {
 		if(START_DATE < date('m/d/Y') or START_DATE == date('m/d/Y') && START_TIME <= date('H:i'))
 	   {
 			global $database;
-			$q = "SELECT * FROM ".TB_PREFIX."activate where act = '".$_POST['id']."'";
+			$q = "SELECT * FROM ".TB_PREFIX."activate where act = '".$database->escape($_POST['id'])."'";
 			$result = mysqli_query($GLOBALS['link'],$q);
 			$dbarray = mysqli_fetch_array($result);
 			if($dbarray['act'] == $_POST['id']) {
@@ -164,7 +164,7 @@ class Account {

 	private function Unreg() {
 		global $database;
-		$q = "SELECT * FROM ".TB_PREFIX."activate where id = '".$_POST['id']."'";
+		$q = "SELECT * FROM ".TB_PREFIX."activate where id = '".$database->escape($_POST['id'])."'";
 		$result = mysqli_query($GLOBALS['link'],$q);
 		$dbarray = mysqli_fetch_array($result);
 		if(md5($_POST['pw']) == $dbarray['password']) {