From 726529c49bdd049c039928dac3e736dac6263e51 Mon Sep 17 00:00:00 2001 From: rvelices Date: Sat, 23 Aug 2008 01:18:13 +0000 Subject: merge r2483 from branch 1.7 - security fix : when conf['question_mark_in_urls']=true , $_SERVER['PATH_INFO'] was not sanitized against sql injection - mysql errors are now dumped using trigger_error instead of echo and die -> allow admins to see later on if someone tries funny stuff git-svn-id: http://piwigo.org/svn/trunk@2484 68402e56-0260-453c-a942-63ccdbb3a9ee --- include/common.inc.php | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'include/common.inc.php') diff --git a/include/common.inc.php b/include/common.inc.php index 2e3d27ee3..d12b8bb70 100644 --- a/include/common.inc.php +++ b/include/common.inc.php @@ -98,6 +98,10 @@ if( !get_magic_quotes_gpc() ) @reset($_COOKIE); } } +if ( !empty($_SERVER["PATH_INFO"]) ) +{ + $_SERVER["PATH_INFO"] = addslashes($_SERVER["PATH_INFO"]); +} // // Define some basic configuration arrays this also prevents malicious @@ -138,10 +142,8 @@ include(PHPWG_ROOT_PATH . 'include/functions.inc.php'); include(PHPWG_ROOT_PATH . 'include/template.class.php'); // Database connection -mysql_connect( $cfgHote, $cfgUser, $cfgPassword ) -or die ( "Could not connect to database server" ); -mysql_select_db( $cfgBase ) -or die ( "Could not connect to database" ); +@mysql_connect( $cfgHote, $cfgUser, $cfgPassword ) or my_error( 'mysql_connect', true ); +@mysql_select_db( $cfgBase ) or my_error( 'mysql_select_db', true ); defined('PWG_CHARSET') and defined('DB_CHARSET') or die('PWG_CHARSET and/or DB_CHARSET is not defined'); -- cgit v1.2.3