mirror of
https://github.com/Shadowss/TravianZ.git
synced 2026-07-16 17:46:09 +00:00
fix: remove SQL injections in Admin
This commit is contained in:
@@ -15,8 +15,8 @@ include_once("../../config.php");
|
||||
$GLOBALS["link"] = mysqli_connect(SQL_SERVER, SQL_USER, SQL_PASS);
|
||||
mysqli_select_db($GLOBALS["link"], SQL_DB);
|
||||
|
||||
$session = $_POST['admid'];
|
||||
$id = $_POST['did'];
|
||||
$session = (int) $_POST['admid'];
|
||||
$id = (int) $_POST['did'];
|
||||
|
||||
$sql = mysqli_query($GLOBALS["link"], "SELECT * FROM ".TB_PREFIX."users WHERE id = ".$session."");
|
||||
$access = mysqli_fetch_array($sql);
|
||||
@@ -25,12 +25,12 @@ $sessionaccess = $access['access'];
|
||||
if($sessionaccess != 9) die("<h1><font color=\"red\">Access Denied: You are not Admin!</font></h1>");
|
||||
|
||||
mysqli_query($GLOBALS["link"], "UPDATE ".TB_PREFIX."vdata SET
|
||||
wood = '".$_POST['wood']."',
|
||||
clay = '".$_POST['clay']."',
|
||||
iron = '".$_POST['iron']."',
|
||||
crop = '".$_POST['crop']."',
|
||||
maxstore = '".$_POST['maxstore']."',
|
||||
maxcrop = '".$_POST['maxcrop']."'
|
||||
wood = '".(int) $_POST['wood']."',
|
||||
clay = '".(int) $_POST['clay']."',
|
||||
iron = '".(int) $_POST['iron']."',
|
||||
crop = '".(int) $_POST['crop']."',
|
||||
maxstore = '".(int) $_POST['maxstore']."',
|
||||
maxcrop = '".(int) $_POST['maxcrop']."'
|
||||
WHERE wref = '".$id."'") or die(mysqli_error($database->dblink));
|
||||
|
||||
header("Location: ../../../Admin/admin.php?p=village&did=".$id."");
|
||||
|
||||
Reference in New Issue
Block a user