|
From: David G. <da...@co...> - 2008-12-14 20:39:05
|
>
> > trunk/edit-domain.php
> (reduced to non-whitespace changes)
:-)
> > @@ -69,1 +69,4 @@
> > - if (isset ($_POST['fTransport'])) $fTransport = escape_string
> > ($_POST['fTransport']);
> > + $fTransport = $CONF['transport_default'];
> > + if($CONF['transport'] != 'NO' && isset ($_POST['fTransport'])) {
> > + $fTransport = escape_string ($_POST['fTransport']);
> > + }
>
> IMHO this is buggy. Even if $CONF['transport'] is set to NO, there could
> be some domains with a transport different from
> $CONF['default_transport'] - for example, $CONF['transport'] could have
> been YES for some time.
True.
>
> The correct solution is to use the old transport value in the database
> also as new value. Or to simply omit changing the transport field in
> the UPDATE query if $CONF['transport'] is NO.
>
> Besides that: transport is not a freetext field, but a dropdown with a
> list of defined values ($CONF['transport_options']). So we should also
> check the input against this list of allowed values instead of simply
> escape_string'ing it.
OK. I agree. Will fix soon (unless someone beats me to it)
thanks
David.
--
David Goodwin
[ david at codepoets dot co dot uk ]
[ http://www.codepoets.co.uk ]
|
