Bravo List

Bravo List (http://www.bvlist.com/index.php)
-   Yuna Scatari Edition (YSE) (http://www.bvlist.com/forumdisplay.php?f=22)
-   -   A little bug-fix in rss.php (potential SQL-injection) (http://www.bvlist.com/showthread.php?t=867)

kp380lv 20th August 2008 12:15
A little bug-fix in rss.php (potential SQL-injection)
 
For YSE PRE 6 but Also working for BoLaMns PRE 7

Open rss.php and substitute:

Replace This:

Code:
$user = mysql_fetch_row(sql_query("SELECT COUNT(*) FROM users WHERE passkey = '$passkey'"));
With this:

Code:
$user = mysql_fetch_row(sql_query("SELECT COUNT(*) FROM users WHERE passkey = ".sqlesc($passkey)));
Vulnerability type SQL-injection, but because of the complexity of the application - rather than dangerous.


All times are GMT +2. The time now is 02:28.

Powered by vBulletin® Version 3.8.11 Beta 3
Copyright ©2000 - 2024, vBulletin Solutions Inc.