aboutsummaryrefslogtreecommitdiffstats
path: root/include/functions_user.inc.php
diff options
context:
space:
mode:
authorEric <eric@piwigo.org>2009-11-18 20:07:20 +0000
committerEric <eric@piwigo.org>2009-11-18 20:07:20 +0000
commit1235bab5276f8c56ed6ba9cff46563c143c3e240 (patch)
tree653723f35e14bcee66eeb6bad049c3b106444040 /include/functions_user.inc.php
parent8a299654501db00316a56efda76448a6bb3975e1 (diff)
Escape all login and username characters in database
Display correctly usernames (I hope not to have made mistakes) git-svn-id: http://piwigo.org/svn/trunk@4304 68402e56-0260-453c-a942-63ccdbb3a9ee
Diffstat (limited to 'include/functions_user.inc.php')
-rw-r--r--include/functions_user.inc.php16
1 files changed, 8 insertions, 8 deletions
diff --git a/include/functions_user.inc.php b/include/functions_user.inc.php
index c1f7029d4..f8f02719f 100644
--- a/include/functions_user.inc.php
+++ b/include/functions_user.inc.php
@@ -170,7 +170,7 @@ SELECT id
$keyargs_content = array
(
- get_l10n_args('User: %s', $login),
+ get_l10n_args('User: %s', stripslashes($login)),
get_l10n_args('Email: %s', $_POST['mail_address']),
get_l10n_args('', ''),
get_l10n_args('Admin: %s', $admin_url)
@@ -178,7 +178,7 @@ SELECT id
pwg_mail_notification_admins
(
- get_l10n_args('Registration of %s', $login),
+ get_l10n_args('Registration of %s', stripslashes($login)),
$keyargs_content
);
}
@@ -933,8 +933,8 @@ WHERE '.$conf['user_fields']['id'].' = '.$user_id;
if (mysql_num_rows($result) > 0)
{
$row = mysql_fetch_assoc($result);
- $username = $row['username'];
- $data = $time.$row['username'].$row['password'];
+ $username = stripslashes($row['username']);
+ $data = $time.stripslashes($row['username']).$row['password'];
$key = base64_encode(
pack('H*', sha1($data))
.hash_hmac('md5', $data, $conf['secret_key'],true)
@@ -1018,7 +1018,7 @@ function auto_login() {
if ($key!==false and $key===$cookie[2])
{
log_user($cookie[0], true);
- trigger_action('login_success', $username);
+ trigger_action('login_success', stripslashes($username));
return true;
}
}
@@ -1039,16 +1039,16 @@ function try_log_user($username, $password, $remember_me)
SELECT '.$conf['user_fields']['id'].' AS id,
'.$conf['user_fields']['password'].' AS password
FROM '.USERS_TABLE.'
- WHERE '.$conf['user_fields']['username'].' = \''.$username.'\'
+ WHERE '.$conf['user_fields']['username'].' = \''.mysql_real_escape_string($username).'\'
;';
$row = mysql_fetch_assoc(pwg_query($query));
if ($row['password'] == $conf['pass_convert']($password))
{
log_user($row['id'], $remember_me);
- trigger_action('login_success', $username);
+ trigger_action('login_success', stripslashes($username));
return true;
}
- trigger_action('login_failure', $username);
+ trigger_action('login_failure', stripslashes($username));
return false;
}