From: <ar...@us...> - 2013-06-25 21:54:19
|
Revision: 46462 http://sourceforge.net/p/tikiwiki/code/46462 Author: arildb Date: 2013-06-25 21:54:16 +0000 (Tue, 25 Jun 2013) Log Message: ----------- [SEC] Always use parameters in queries to prevent XSS Modified Paths: -------------- trunk/lib/logs/logslib.php Modified: trunk/lib/logs/logslib.php =================================================================== --- trunk/lib/logs/logslib.php 2013-06-25 21:10:40 UTC (rev 46461) +++ trunk/lib/logs/logslib.php 2013-06-25 21:54:16 UTC (rev 46462) @@ -324,10 +324,10 @@ { $actionlogconf = array(); $query = "select * from `tiki_actionlog_conf`" . - " where `objectType` like '$type' and `action` like '$action'" . + " where `objectType` like ? and `action` like ?" . " order by `objectType` desc, `action` asc" ; - $result = $this->query($query, array()); + $result = $this->query($query, array($type, $action)); while ($res = $result->fetchRow()) { if ( $res['action'] == '%' ) { This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |