From 7550df3915d7e9c83c430ff3067dd73264e7866d Mon Sep 17 00:00:00 2001
From: rvelices <rv-github@modusoptimus.com>
Date: Sat, 23 Aug 2008 01:15:33 +0000
Subject: - security fix : when conf['question_mark_in_urls']=true ,
 $_SERVER['PATH_INFO'] was not sanitized against sql injection - mysql errors
 are now dumped using trigger_error instead of echo and die -> allow admins to
 see later on if someone tries funny stuff

git-svn-id: http://piwigo.org/svn/branches/branch-1_7@2483 68402e56-0260-453c-a942-63ccdbb3a9ee
---
 include/common.inc.php | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

(limited to 'include/common.inc.php')

diff --git a/include/common.inc.php b/include/common.inc.php
index ef772747f..43dae02a6 100644
--- a/include/common.inc.php
+++ b/include/common.inc.php
@@ -102,6 +102,10 @@ if( !get_magic_quotes_gpc() )
     @reset($_COOKIE);
   }
 }
+if ( !empty($_SERVER["PATH_INFO"]) )
+{
+  $_SERVER["PATH_INFO"] = addslashes($_SERVER["PATH_INFO"]);
+}
 
 //
 // Define some basic configuration arrays this also prevents malicious
@@ -141,10 +145,8 @@ include(PHPWG_ROOT_PATH . 'include/functions.inc.php');
 include(PHPWG_ROOT_PATH . 'include/template.php');
 
 // Database connection
-mysql_connect( $cfgHote, $cfgUser, $cfgPassword )
-or die ( "Could not connect to database server" );
-mysql_select_db( $cfgBase )
-or die ( "Could not connect to database" );
+@mysql_connect( $cfgHote, $cfgUser, $cfgPassword ) or my_error( 'mysql_connect', true );
+@mysql_select_db( $cfgBase ) or my_error( 'mysql_select_db', true );
 
 //
 // Setup gallery wide options, if this fails then we output a CRITICAL_ERROR
-- 
cgit v1.2.3