tyler.durden/pandorafms
1
0
Fork 0
mirror of https://github.com/pandorafms/pandorafms.git synced 2025-07-30 01:05:39 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'ent-8437-SQL-Injection-en-API' into 'develop'

Browse Source 
sanitize sql inputs

See merge request artica/pandorafms!4629
This commit is contained in:
vgilc 2022-01-25 10:30:01 +00:00
commit 6edc6c6d40
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
pandora_console/include/functions_api.php
View File

@ -16590,7 +16590,11 @@ function api_get_user_info($thrash1, $thrash2, $other, $returnType)
$other = json_decode(base64_decode($other['data']), true); $other = json_decode(base64_decode($other['data']), true);
$sql = 'select * from tusuario where id_user = "'.$other[0]['id_user'].'" and password = "'.$other[0]['password'].'"'; $sql = sprintf(
'SELECT * FROM tusuario WHERE id_user = "%s" and password = "%s"',
mysql_escape_string_sql($other[0]['id_user']),
mysql_escape_string_sql($other[0]['password'])
);
$user_info = db_get_all_rows_sql($sql); $user_info = db_get_all_rows_sql($sql);