From 7ce249f0bbb019c12c694884cd9f676189b1b43c Mon Sep 17 00:00:00 2001
From: plegall <plg@piwigo.org>
Date: Mon, 13 Sep 2010 20:52:47 +0000
Subject: merge r6905 from branch 2.1 to trunk

bug 1849 fixed: protect $_GET keys against SQL injections before parsing URL.



git-svn-id: http://piwigo.org/svn/trunk@6906 68402e56-0260-453c-a942-63ccdbb3a9ee
---
 include/section_init.inc.php | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'include/section_init.inc.php')

diff --git a/include/section_init.inc.php b/include/section_init.inc.php
index a4e10f806..38536ba90 100644
--- a/include/section_init.inc.php
+++ b/include/section_init.inc.php
@@ -61,6 +61,10 @@ else
     $rewritten = $key;
     break;
   }
+  
+  // the $_GET keys are not protected in include/common.inc.php, only the values
+  $rewritten = pwg_db_real_escape_string($rewritten);
+  
   $page['root_path'] = PHPWG_ROOT_PATH;
 }
 
-- 
cgit v1.2.3