diff options
| author | Eric <eric@piwigo.org> | 2009-11-18 20:07:20 +0000 |
|---|---|---|
| committer | Eric <eric@piwigo.org> | 2009-11-18 20:07:20 +0000 |
| commit | 1235bab5276f8c56ed6ba9cff46563c143c3e240 (patch) | |
| tree | 653723f35e14bcee66eeb6bad049c3b106444040 /include/functions_user.inc.php | |
| parent | 8a299654501db00316a56efda76448a6bb3975e1 (diff) | |
Escape all login and username characters in database
Display correctly usernames
(I hope not to have made mistakes)
git-svn-id: http://piwigo.org/svn/trunk@4304 68402e56-0260-453c-a942-63ccdbb3a9ee
Diffstat (limited to 'include/functions_user.inc.php')
| -rw-r--r-- | include/functions_user.inc.php | 16 |
1 files changed, 8 insertions, 8 deletions
diff --git a/include/functions_user.inc.php b/include/functions_user.inc.php index c1f7029d4..f8f02719f 100644 --- a/include/functions_user.inc.php +++ b/include/functions_user.inc.php @@ -170,7 +170,7 @@ SELECT id $keyargs_content = array ( - get_l10n_args('User: %s', $login), + get_l10n_args('User: %s', stripslashes($login)), get_l10n_args('Email: %s', $_POST['mail_address']), get_l10n_args('', ''), get_l10n_args('Admin: %s', $admin_url) @@ -178,7 +178,7 @@ SELECT id pwg_mail_notification_admins ( - get_l10n_args('Registration of %s', $login), + get_l10n_args('Registration of %s', stripslashes($login)), $keyargs_content ); } @@ -933,8 +933,8 @@ WHERE '.$conf['user_fields']['id'].' = '.$user_id; if (mysql_num_rows($result) > 0) { $row = mysql_fetch_assoc($result); - $username = $row['username']; - $data = $time.$row['username'].$row['password']; + $username = stripslashes($row['username']); + $data = $time.stripslashes($row['username']).$row['password']; $key = base64_encode( pack('H*', sha1($data)) .hash_hmac('md5', $data, $conf['secret_key'],true) @@ -1018,7 +1018,7 @@ function auto_login() { if ($key!==false and $key===$cookie[2]) { log_user($cookie[0], true); - trigger_action('login_success', $username); + trigger_action('login_success', stripslashes($username)); return true; } } @@ -1039,16 +1039,16 @@ function try_log_user($username, $password, $remember_me) SELECT '.$conf['user_fields']['id'].' AS id, '.$conf['user_fields']['password'].' AS password FROM '.USERS_TABLE.' - WHERE '.$conf['user_fields']['username'].' = \''.$username.'\' + WHERE '.$conf['user_fields']['username'].' = \''.mysql_real_escape_string($username).'\' ;'; $row = mysql_fetch_assoc(pwg_query($query)); if ($row['password'] == $conf['pass_convert']($password)) { log_user($row['id'], $remember_me); - trigger_action('login_success', $username); + trigger_action('login_success', stripslashes($username)); return true; } - trigger_action('login_failure', $username); + trigger_action('login_failure', stripslashes($username)); return false; } |