Explorar el Código

* Sanitize data entries for install gelato

Victor De la Rocha hace 16 años
padre
commit
25f1c98695
Se han modificado 2 ficheros con 9 adiciones y 10 borrados
  1. 4 5
      classes/install.class.php
  2. 5 5
      install.php

+ 4 - 5
classes/install.class.php Ver fichero

@@ -120,14 +120,13 @@ class Install {
120 120
 			PRIMARY KEY  (`id_feed`)
121 121
 			) ENGINE=MyISAM ;";
122 122
 
123
-
124
-		$sqlStr[] = "INSERT INTO `".Table_prefix."config` VALUES (". $this->data['posts_limit'] .", '".$this->data['title']."', '".$this->data['description']."', '".$this->data['lang']."', '".$this->data['template']."', '".$this->data['url_installation']."');";
125
-		$sqlStr[] = "INSERT INTO `".Table_prefix."users` VALUES ('', '', '".$this->data['login']."', '".md5($this->data['password'])."', '".$this->data['email']."', '".$this->data['website']."', '".$this->data['about']."');";
123
+		$sqlStr[] = "INSERT INTO `".Table_prefix."config` VALUES (". $db->sql_escape($this->data['posts_limit']).", '".$db->sql_escape($this->data['title'])."', '".$db->sql_escape($this->data['description'])."', '".$db->sql_escape($this->data['lang'])."', '".$db->sql_escape($this->data['template'])."', '".$db->sql_escape($this->data['url_installation'])."');";
124
+		$sqlStr[] = "INSERT INTO `".Table_prefix."users` VALUES ('', '', '".$db->sql_escape($this->data['login'])."', '".md5($this->data['password'])."', '".$db->sql_escape($this->data['email'])."', '".$db->sql_escape($this->data['website'])."', '".$db->sql_escape($this->data['about'])."');";
126 125
 		$sqlStr[] = "INSERT INTO `".Table_prefix."options` VALUES ('url_friendly', '0');";
127 126
 		$sqlStr[] = "INSERT INTO `".Table_prefix."options` VALUES ('rich_text', '0');";
128 127
 		$sqlStr[] = "INSERT INTO `".Table_prefix."options` VALUES ('allow_comments', '0');";
129
-		$sqlStr[] = "INSERT INTO `".Table_prefix."options` VALUES ('offset_city', '".$this->data['offset_city']."');";
130
-		$sqlStr[] = "INSERT INTO `".Table_prefix."options` VALUES ('offset_time', '".$this->data['offset_time']."');";
128
+		$sqlStr[] = "INSERT INTO `".Table_prefix."options` VALUES ('offset_city', '".$db->sql_escape($this->data['offset_city'])."');";
129
+		$sqlStr[] = "INSERT INTO `".Table_prefix."options` VALUES ('offset_time', '".$db->sql_escape($this->data['offset_time'])."');";
131 130
 		$sqlStr[] = "INSERT INTO `".Table_prefix."options` VALUES ('shorten_links', '0');";
132 131
 		$sqlStr[] = "INSERT INTO `".Table_prefix."options` VALUES ('rss_import_frec', '5 minutes');";
133 132
 		$sqlStr[] = "INSERT INTO `".Table_prefix."options` VALUES ('check_version', '1');";

+ 5 - 5
install.php Ver fichero

@@ -63,7 +63,7 @@ $install->check_form();
63 63
 					<legend class="install">Database Settings</legend>
64 64
 					<ul>
65 65
 						<li><label for="login">User:</label>
66
-							<input type="text" name="db_login" id="db_login" value="<?php echo $install->data['db_login']?>" class="txt"/><?php echo $install->mostrarerror("10")?></li>
66
+							<input type="text" name="db_login" id="db_login" value="<?php echo isset($install->data['db_login'])?$install->data['db_login']:''?>" class="txt"/><?php echo $install->mostrarerror("10")?></li>
67 67
 						<li><label for="password">Password:</label>
68 68
 							<input type="password" name="db_password" id="db_password" value="" class="txt"/></li>
69 69
 						<li><label for="password2">Re-type password:</label>
@@ -78,22 +78,22 @@ $install->check_form();
78 78
 					<legend class="install">Admin user</legend>
79 79
 					<ul>
80 80
 						<li><label for="login">User:</label>
81
-							<input type="text" name="login" id="login" value="<?php echo $install->data['login']?>" class="txt"/><?php echo $install->mostrarerror("1")?></li>
81
+							<input type="text" name="login" id="login" value="<?php echo isset($install->data['login'])?$install->data['login']:''?>" class="txt"/><?php echo $install->mostrarerror("1")?></li>
82 82
 						<li><label for="password">Password:</label>
83 83
 							<input type="password" name="password" id="password" value="" class="txt"/><?php echo $install->mostrarerror("2")?></li>
84 84
 						<li><label for="password2">Re-type password:</label>
85 85
 							<input type="password" name="password2" id="password2" value="" class="txt"/><?php echo $install->mostrarerror("3")?></li>
86 86
 						<li><label for="email">E-mail:</label>
87
-							<input type="text" name="email" id="email" value="<?php echo $install->data['email']?>" class="txt"/><?php echo $install->mostrarerror("4")?></li>
87
+							<input type="text" name="email" id="email" value="<?php echo isset($install->data['email'])?$install->data['email']:''?>" class="txt"/><?php echo $install->mostrarerror("4")?></li>
88 88
 					</ul>
89 89
 				</fieldset><br  />
90 90
 				<fieldset class="install">
91 91
 					<legend class="install">Tumblelog configuration</legend>
92 92
 					<ul>
93 93
 						<li><label for="title">Title:</label>
94
-							<input type="text" name="title" id="title" value="<?php echo $install->data['title']?>" class="txt"/></li>
94
+							<input type="text" name="title" id="title" value="<?php echo isset($install->data['title'])?$install->data['title']:''?>" class="txt"/></li>
95 95
 						<li><label for="description">Description:</label>
96
-							<input type="text" name="description" id="description" value="<?php echo $install->data['description']?>" class="txt"/></li>
96
+							<input type="text" name="description" id="description" value="<?php echo isset($install->data['description'])?$install->data['description']:''?>" class="txt"/></li>
97 97
 						<li><label for="url_installation">Installation URL</label>
98 98
 							<input type="text" name="url_installation" id="url_installation" value="<?php if(isset($_SERVER['SCRIPT_URI']))echo substr($_SERVER["SCRIPT_URI"], '0', '-12'); ?>" class="txt"/><?php echo $install->mostrarerror("5")?></li>
99 99
 						<li><label for="posts_limit">Post limit:</label>