[Fusionforge-commits] r7731 - branches/Branch_4_8/gforge/www/include

Guillaume Smet gsmet at libremir.placard.fr.eu.org
Sun Jun 7 00:14:52 CEST 2009


Author: gsmet
Date: 2009-06-07 00:14:51 +0200 (Sun, 07 Jun 2009)
New Revision: 7731

Modified:
   branches/Branch_4_8/gforge/www/include/logger.php
Log:
use db_query_params() instead of db_query() to prevent potential injection problems (we met the problem by uploading documents into the doc manager)
per analysis from Laurent Almeras (Open Wide)

Modified: branches/Branch_4_8/gforge/www/include/logger.php
===================================================================
--- branches/Branch_4_8/gforge/www/include/logger.php	2009-06-06 20:22:29 UTC (rev 7730)
+++ branches/Branch_4_8/gforge/www/include/logger.php	2009-06-06 22:14:51 UTC (rev 7731)
@@ -112,11 +112,11 @@
 
 $sql =	"INSERT INTO activity_log "
 	. "(day,hour,group_id,browser,ver,platform,time,page,type) "
-	. "VALUES (" . date('Ymd', mktime()) . ",'" . date('H', mktime())
-	. "','$log_group','" . browser_get_agent() . "','" . browser_get_version() 
-	. "','" . browser_get_platform() . "','" . time() . "','".getStringFromServer('PHP_SELF')."','0');";
+	. "VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9);";
 
-$res_logger = db_query ( $sql );
+$res_logger = db_query_params ($sql, array(date('Ymd'), date('H'),
+	$log_group, browser_get_agent(), browser_get_version(), browser_get_platform(),
+	time(), getStringFromServer('PHP_SELF'), '0'));
 
 //
 //	temp hack




More information about the Fusionforge-commits mailing list