tyler.durden
/
pandorafms
mirror of https://github.com/pandorafms/pandorafms.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'ent-8437-SQL-Injection-en-API' into 'develop' 

sanitize sql inputs

See merge request artica/pandorafms!4629
This commit is contained in:
vgilc 2022-01-25 10:30:01 +00:00
parent f2d0ecc304 c93a758111
commit 6edc6c6d40
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
pandora_console/include/functions_api.php
View File

@ -16590,7 +16590,11 @@ function api_get_user_info($thrash1, $thrash2, $other, $returnType)
$other = json_decode(base64_decode($other['data']), true);
$sql = 'select * from tusuario where id_user = "'.$other[0]['id_user'].'" and password = "'.$other[0]['password'].'"';
$sql = sprintf(
'SELECT * FROM tusuario WHERE id_user = "%s" and password = "%s"',
mysql_escape_string_sql($other[0]['id_user']),
mysql_escape_string_sql($other[0]['password'])
);
$user_info = db_get_all_rows_sql($sql);