tyler.durden/loganalyzer
1
0
Fork 0
mirror of https://github.com/rsyslog/loganalyzer.git synced 2025-09-26 11:19:26 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fixed Cross site scripting issue of id parameter on admin/searches.php page

Browse Source
This commit is contained in:
Andre Lorbach 2012-05-22 12:12:45 +02:00
parent 2e62839897
commit a0ffd04bfb
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/admin/searches.php
View File

@ -120,7 +120,7 @@ if ( isset($_GET['op']) )
if ( isset($_GET['id']) ) if ( isset($_GET['id']) )
{ {
//PreInit these values //PreInit these values
$content['SEARCHID'] = DB_RemoveBadChars($_GET['id']); $content['SEARCHID'] = strip_tags(DB_RemoveBadChars($_GET['id']));
$sqlquery = "SELECT * " . $sqlquery = "SELECT * " .
" FROM " . DB_SEARCHES . " FROM " . DB_SEARCHES .
@ -183,7 +183,7 @@ if ( isset($_GET['op']) )
if ( isset($_GET['id']) ) if ( isset($_GET['id']) )
{ {
//PreInit these values //PreInit these values
$content['SEARCHID'] = DB_RemoveBadChars($_GET['id']); $content['SEARCHID'] = strip_tags(DB_RemoveBadChars($_GET['id']));
// Get UserInfo // Get UserInfo
$result = DB_Query("SELECT DisplayName FROM " . DB_SEARCHES . " WHERE ID = " . $content['SEARCHID'] ); $result = DB_Query("SELECT DisplayName FROM " . DB_SEARCHES . " WHERE ID = " . $content['SEARCHID'] );