Rooba
/
boinc
mirror of https://github.com/BOINC/boinc.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

user web: do SQL escaping before storing prefs in the database as some projects store user-editable strings in the preferences. 

svn path=/trunk/boinc/; revision=20188
This commit is contained in:
Rytis Slatkevičius 2010-01-18 15:19:23 +00:00
parent 0c1a1421f8
commit d6d8037f5d
2 changed files with 9 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
checkin_notes
View File

@ -470,3 +470,10 @@ David 17 Jan 2010
sched_send.cpp sched_send.cpp
sched_shmem.cpp sched_shmem.cpp
handle_request.cpp handle_request.cpp
Rytis 18 Jan 2010
- user web: do SQL escaping before storing prefs in the database as some
projects store user-editable strings in the preferences.
html/inc/
prefs.inc

4
html/inc/prefs.inc
View File

@ -1584,7 +1584,7 @@ function project_prefs_make_xml($prefs, $primary=true) {
// Update user's prefs in database, from a given structure // Update user's prefs in database, from a given structure
// //
function global_prefs_update(&$user, $prefs) { function global_prefs_update(&$user, $prefs) {
$prefs_xml = global_prefs_make_xml($prefs); $prefs_xml = mysql_real_escape_string(global_prefs_make_xml($prefs));
$query = "update user set global_prefs='$prefs_xml' where id=$user->id"; $query = "update user set global_prefs='$prefs_xml' where id=$user->id";
$retval = mysql_query($query); $retval = mysql_query($query);
if (!$retval) { if (!$retval) {
@ -1597,7 +1597,7 @@ function global_prefs_update(&$user, $prefs) {
} }
function project_prefs_update(&$user, $prefs) { function project_prefs_update(&$user, $prefs) {
$prefs_xml = project_prefs_make_xml($prefs); $prefs_xml = mysql_real_escape_string(project_prefs_make_xml($prefs));
$retval = mysql_query("update user set project_prefs='$prefs_xml', send_email=$user->send_email, show_hosts=$user->show_hosts where id=$user->id"); $retval = mysql_query("update user set project_prefs='$prefs_xml', send_email=$user->send_email, show_hosts=$user->show_hosts where id=$user->id");
$user->project_prefs = $prefs_xml; $user->project_prefs = $prefs_xml;
return $retval; return $retval;