From b960d78d9e84d1d49be16a651d5ce9939b6b4149 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rytis=20Slatkevi=C4=8Dius?= Date: Thu, 4 Dec 2014 14:23:13 +0200 Subject: [PATCH] web: fix SQL injection in remote job submission --- html/user/submit_rpc_handler.php | 1 + 1 file changed, 1 insertion(+) diff --git a/html/user/submit_rpc_handler.php b/html/user/submit_rpc_handler.php index ed72f4af4a..0197bf6474 100644 --- a/html/user/submit_rpc_handler.php +++ b/html/user/submit_rpc_handler.php @@ -302,6 +302,7 @@ function submit_batch($r) { if (!$ret) xml_error(-1, "BOINC server: batch->update() failed"); } else { $batch_name = (string)($r->batch->batch_name); + $batch_name = BoincDb::escape_string($batch_name); $batch_id = BoincBatch::insert( "(user_id, create_time, njobs, name, app_id, logical_end_time, state) values ($user->id, $now, $njobs, '$batch_name', $app->id, $let, ".BATCH_STATE_INIT.")" );