Menu

#10 some missing input validation in content.php

closed-accepted
Daniel
None
5
2006-09-25
2006-09-23
franky
No

Hi,

$d_version = '0.1.8 r654';

in line 46
or !($content_secid = in_num('content_catid', &$_POST))
should be
or !($content_secid = in_num('content_secid', &$_POST))

missing input validation after line 87 : case
"edit_content" :

could be :
if ( trim($_POST['content_bodytext'])=="<br />")
$_POST['content_bodytext']="";
if (!($content_id = in_num('content_id', &$_POST))
or !($content_catid = in_num('content_catid', &$_POST))
or !($content_title = in_sql('content_title', &$_POST,
null, 100))
)
$d->Redir('index.php?option=content&task=edit', _FORM_NC);
$content_ocatid = in_num('content_ocatid', &$_POST);
$content_published = in_checkbox('content_published',
&$_POST);
$content_introtext = in_sql('content_introtext',
&$_POST, '');
$content_bodytext = in_sql('content_bodytext', &$_POST,
'');

not a bug !! line 35-41
case "insert" : showcontent($id,"content",true);break;
case "view" :
global $d_db;
if ($d_db!="text")
change_val("content",$id,"hits",1); //slows the
cache system otherwise
showcontent($id,"content",true);
break;

after submitting a comment to a content then the
task=insert will be send, it will show me again the
content with my submitted comment. I think that it is
not necessary to update the hits of the content.
so i prefer this solution

case "insert" : showcontent($id,"content",true);break;
case "view" :
global $d_db;
if ($d_db!="text")
change_val("content",$id,"hits",1); //slows the
cache system otherwise
showcontent($id,"content",true);
break;

if you confirm the we should change also line 115
$d->Redir("index.php?option=content&task=view&id=$content_id");
to
$d->Redir("index.php?option=content&task=insert&id=$content_id");
so the there will be no hits for the first showing of
the content that it just written by me.

franky2004

Discussion

  • franky

    franky - 2006-09-23

    Logged In: YES
    user_id=1547527

    not a bug !! line 35-41
    case "insert" : showcontent($id,"content",true);break;
    case "view" :
    global $d_db;
    if ($d_db!="text")
    change_val("content",$id,"hits",1); //slows the
    cache system otherwise
    showcontent($id,"content",true);
    break;

    this part of the text should be :

    not a bug !! line 35-41
    case "insert" :
    case "view" :
    global $d_db;
    if ($d_db!="text")
    change_val("content",$id,"hits",1); //slows the
    cache system otherwise
    showcontent($id,"content",true);
    break;

    after submitting a comment to a content then the
    task=insert will be send, it will show me again the
    content with my submitted comment. I think that it is
    not necessary to update the hits of the content.
    so i prefer this solution

    case "insert" : showcontent($id,"content",true);break;
    case "view" :
    global $d_db;
    if ($d_db!="text")
    change_val("content",$id,"hits",1); //slows the
    cache system otherwise
    showcontent($id,"content",true);
    break;

    if you confirm the we should change also line 115
    $d->Redir("index.php?option=content&task=view&id=$content_id");
    to
    $d->Redir("index.php?option=content&task=insert&id=$content_id");
    so the there will be no hits for the first showing of
    the content that it just written by me.

     

  • Daniel

    Daniel - 2006-09-23
    • assigned_to: nobody --> legolas558
    • status: open --> open-accepted
     

  • Daniel

    Daniel - 2006-09-23

    Logged In: YES
    user_id=799761

    Modifications applied with latest patch, please confirm if
    they are ok and then close this tracker item (under Patches)

     

  • Daniel

    Daniel - 2006-09-25
    • status: open-accepted --> closed-accepted
     

Log in to post a comment.

MongoDB Logo MongoDB