diff --git a/checkin_notes b/checkin_notes index dbf8052e7d..cb8667b654 100644 --- a/checkin_notes +++ b/checkin_notes @@ -470,3 +470,10 @@ David 17 Jan 2010 sched_send.cpp sched_shmem.cpp handle_request.cpp + +Rytis 18 Jan 2010 + - user web: do SQL escaping before storing prefs in the database as some + projects store user-editable strings in the preferences. + + html/inc/ + prefs.inc diff --git a/html/inc/prefs.inc b/html/inc/prefs.inc index 525e021aa0..dab3ea6314 100644 --- a/html/inc/prefs.inc +++ b/html/inc/prefs.inc @@ -1584,7 +1584,7 @@ function project_prefs_make_xml($prefs, $primary=true) { // Update user's prefs in database, from a given structure // function global_prefs_update(&$user, $prefs) { - $prefs_xml = global_prefs_make_xml($prefs); + $prefs_xml = mysql_real_escape_string(global_prefs_make_xml($prefs)); $query = "update user set global_prefs='$prefs_xml' where id=$user->id"; $retval = mysql_query($query); if (!$retval) { @@ -1597,7 +1597,7 @@ function global_prefs_update(&$user, $prefs) { } function project_prefs_update(&$user, $prefs) { - $prefs_xml = project_prefs_make_xml($prefs); + $prefs_xml = mysql_real_escape_string(project_prefs_make_xml($prefs)); $retval = mysql_query("update user set project_prefs='$prefs_xml', send_email=$user->send_email, show_hosts=$user->show_hosts where id=$user->id"); $user->project_prefs = $prefs_xml; return $retval;