xinyin025/TravianZ
1
0
Fork 0
mirror of https://github.com/Shadowss/TravianZ.git synced 2026-06-28 00:24:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(admin): prevent SQL injection in editAccess Mod [#139] (#241)

Browse Source
This commit is contained in:
Ferywir
2026-06-19 12:30:25 +02:00
committed by GitHub
parent 9c726a05b9
commit 1a797bab80
1 changed files with 9 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
GameEngine/Admin/Mods/editAccess.php
+9 -3
View File
@@ -33,10 +33,16 @@ $sessionaccess = $access['access'];
if($sessionaccess != 9) die("<h1><font color=\"red\">Access Denied: You are not Admin!</font></h1>");
$access = $_POST['access'];
// Cast + whitelist the access level. $_POST['access'] was injected raw into
// the UPDATE below (SQL injection). Only accept the values the admin form
// offers: 0=Banned, 2=Normal user, 8=Multihunter, 9=Admin.
$access = (int) $_POST['access'];
if (!in_array($access, array(0, 2, 8, 9), true)) {
die("Invalid access level");
}
mysqli_query($GLOBALS["link"], "UPDATE ".TB_PREFIX."users SET
access = ".$access."
mysqli_query($GLOBALS["link"], "UPDATE ".TB_PREFIX."users SET
access = ".$access."
WHERE id = ".$id."") or die(mysqli_error($database->dblink));
header("Location: ../../../Admin/admin.php?p=player&uid=".$id."");