From 7ab606155255df6501ab67279d39d20bd46df2e9 Mon Sep 17 00:00:00 2001
From: plegall <plg@piwigo.org>
Date: Thu, 8 Jan 2015 13:11:03 +0000
Subject: merge r30864 from trunk to branch 2.6

bug 3186: improved security on search.php


git-svn-id: http://piwigo.org/svn/branches/2.6@30866 68402e56-0260-453c-a942-63ccdbb3a9ee
---
 search.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'search.php')

diff --git a/search.php b/search.php
index 6feee2780..fed2e4c5f 100644
--- a/search.php
+++ b/search.php
@@ -105,6 +105,8 @@ if (isset($_POST['submit']))
   }
 
   // dates
+  check_input_parameter('date_type', $_POST, false, '/^date_(creation|available)$/');
+  
   $type_date = $_POST['date_type'];
 
   if (!empty($_POST['start_year']))
@@ -144,7 +146,7 @@ if (isset($_POST['submit']))
 INSERT INTO '.SEARCH_TABLE.'
   (rules, last_seen)
   VALUES
-  (\''.serialize($search).'\', NOW())
+  (\''.pwg_db_real_escape_string(serialize($search)).'\', NOW())
 ;';
     pwg_query($query);
 
-- 
cgit v1.2.3