diff --git a/GameEngine/Admin/database.php b/GameEngine/Admin/database.php index 8c123eeb..82da6a73 100755 --- a/GameEngine/Admin/database.php +++ b/GameEngine/Admin/database.php @@ -82,6 +82,7 @@ class adm_DB { $bcrypted = false; } + $username = htmlspecialchars($username); if($pwOk) { // update password to bcrypt, if correct if (!$dbarray['is_bcrypt'] && !$bcrypted) { diff --git a/GameEngine/Database.php b/GameEngine/Database.php index e244372e..290a2a14 100755 --- a/GameEngine/Database.php +++ b/GameEngine/Database.php @@ -3016,6 +3016,8 @@ class MYSQLi_DB implements IDbConnection { function setAlliName($aid, $name, $tag) { list($aid, $name, $tag) = $this->escape_input((int) $aid, $name, $tag); + $name = $this->RemoveXSS($name); + $tag = $this->RemoveXSS($tag); $q = "UPDATE " . TB_PREFIX . "alidata set name = '$name', tag = '$tag' where id = $aid"; return mysqli_query($this->dblink,$q); @@ -3109,6 +3111,8 @@ class MYSQLi_DB implements IDbConnection { *****************************************/ function createAlliance($tag, $name, $uid, $max) { list($tag, $name, $uid, $max) = $this->escape_input($tag, $name, (int) $uid, (int) $max); + $tag = $this->RemoveXSS($tag); + $name = $this->RemoveXSS($name); $q = "INSERT into " . TB_PREFIX . "alidata values (0,'$name','$tag',$uid,0,0,0,'','',$max,0,0,0,0,0,0,0,0,0)"; mysqli_query($this->dblink,$q); diff --git a/GameEngine/Generator.php b/GameEngine/Generator.php index 2b8ed1e8..c7ce83e9 100755 --- a/GameEngine/Generator.php +++ b/GameEngine/Generator.php @@ -18,7 +18,7 @@ class MyGenerator { public function generateRandStr($length){ $randstr = ""; for($i = 0; $i < $length; $i++){ - $randnum = mt_rand(0, 61); + $randnum = random_int(0, 61); if($randnum < 10) $randstr .= chr($randnum + 48); else if($randnum < 36) $randstr .= chr($randnum + 55); else $randstr .= chr($randnum + 61); diff --git a/GameEngine/Ranking.php b/GameEngine/Ranking.php index c5727e86..e8b1f9a9 100755 --- a/GameEngine/Ranking.php +++ b/GameEngine/Ranking.php @@ -163,7 +163,7 @@ private function getStart($search) { $multiplier = 1; if(!is_numeric($search)) { - $_SESSION['search'] = $search; + $_SESSION['search'] = htmlspecialchars($search); } else { if($search > count($this->rankarray)) { $search = count($this->rankarray) - 1; @@ -172,8 +172,8 @@ $multiplier += 1; } $start = 20 * $multiplier - 19 - 1; - $_SESSION['search'] = $search; - $_SESSION['start'] = $start; + $_SESSION['search'] = htmlspecialchars($search); + $_SESSION['start'] = htmlspecialchars($start); } } diff --git a/Templates/Profile/preference.tpl b/Templates/Profile/preference.tpl index a612e45d..bf3b13e0 100644 --- a/Templates/Profile/preference.tpl +++ b/Templates/Profile/preference.tpl @@ -36,12 +36,12 @@ if($_POST) { if(substr($key, 0, 8) == 'linkname') { $i = substr($key, 8); - $links[$i]['linkname'] = mysqli_real_escape_string($database->dblink, $value); + $links[$i]['linkname'] = htmlspecialchars(mysqli_real_escape_string($database->dblink, $value)); } if(substr($key, 0, 8) == 'linkziel') { $i = substr($key, 8); - $links[$i]['linkziel'] = mysqli_real_escape_string($database->dblink, $value); + $links[$i]['linkziel'] = htmlspecialchars(mysqli_real_escape_string($database->dblink, $value)); } } diff --git a/install/process.php b/install/process.php index b7925e41..814ece82 100644 --- a/install/process.php +++ b/install/process.php @@ -12,6 +12,10 @@ // don't let SQL time out when 30-500 seconds (depending on php.ini) is not enough @set_time_limit(0); +if (file_exists("../var/installed")) { + die("ERROR!
Installation appears to have been completed.
If this is an error remove /var/installed file in install directory."); +} + class Process { function __construct() { diff --git a/login.php b/login.php index a461bd57..3c12625e 100644 --- a/login.php +++ b/login.php @@ -186,7 +186,7 @@ Element.implement({ - " maxlength="30" autocomplete='off' /> getError("user"); ?> + " maxlength="30" autocomplete='off' /> getError("user"); ?>