fix: remove SQL injections in Admin

This commit is contained in:
Martin Ambrus
2017-10-19 21:17:11 +02:00
parent 529bb2209c
commit 331885a110
74 changed files with 327 additions and 221 deletions
+5 -1
View File
@@ -18,7 +18,11 @@ include_once("../../config.php");
$GLOBALS["link"] = mysqli_connect(SQL_SERVER, SQL_USER, SQL_PASS);
mysqli_select_db($GLOBALS["link"], SQL_DB);
$id = $_POST['id'];
foreach ($_POST as $key => $value) {
$_POST[$key] = $database->escape($value);
}
$id = (int) $_POST['id'];
mysqli_query($GLOBALS["link"], "UPDATE ".TB_PREFIX."fdata SET
f1 = '".$_POST['id1level']."',