mirror of
https://github.com/Shadowss/TravianZ.git
synced 2026-07-12 07:36:07 +00:00
fix: remove SQL injections in Admin
This commit is contained in:
@@ -15,10 +15,14 @@ mysqli_select_db(SQL_DB);
|
||||
if (!isset($_SESSION)) session_start();
|
||||
if($_SESSION['access'] < ADMIN) die("Access Denied: You are not Admin!");
|
||||
|
||||
foreach ($_POST as $key => $value) {
|
||||
$_POST[$key] = $database->escape($value);
|
||||
}
|
||||
|
||||
$id = $_POST['id'];
|
||||
$user = $database->getUserArray($id,1);
|
||||
mysqli_query($GLOBALS["link"], "UPDATE ".TB_PREFIX."users SET email = '".$_POST['email']."', tribe = ".$_POST['tribe'].", location = '".$_POST['location']."', desc1 = '".$_POST['desc1']."', `desc2` = '".$_POST['desc2']."' WHERE id = ".$_POST['id']."");
|
||||
mysqli_query($GLOBALS["link"], "Insert into ".TB_PREFIX."admin_log values (0,".$_SESSION['id'].",'Changed <a href=\'admin.php?p=village&did=$id\'>".$user['username']."</a>\'s profile',".time().")");
|
||||
mysqli_query($GLOBALS["link"], "UPDATE ".TB_PREFIX."users SET email = '".$_POST['email']."', tribe = ".(int) $_POST['tribe'].", location = '".$_POST['location']."', desc1 = '".$_POST['desc1']."', desc2 = '".$_POST['desc2']."' WHERE id = ".(int) $_POST['id']."");
|
||||
mysqli_query($GLOBALS["link"], "Insert into ".TB_PREFIX."admin_log values (0,".(int) $_SESSION['id'].",'Changed <a href=\'admin.php?p=village&did=$id\'>".$user['username']."</a>\'s profile',".time().")");
|
||||
|
||||
|
||||
header("Location: ../../../Admin/admin.php?p=player&uid=".$id."");
|
||||
|
||||
Reference in New Issue
Block a user