diff options
| author | Mario <mario@mariovavti.com> | 2021-04-14 11:01:34 +0000 |
|---|---|---|
| committer | Mario <mario@mariovavti.com> | 2021-04-20 10:57:36 +0200 |
| commit | c7144dbf9696140d21cff87ae93ed9ddd8f07cbd (patch) | |
| tree | 2b87cc84caec50f20f136499f37ed1b7b18a2259 | |
| parent | c31e203104a966f55806018b2aa659bbcc4b7995 (diff) | |
| download | volse-hubzilla-c7144dbf9696140d21cff87ae93ed9ddd8f07cbd.tar.gz volse-hubzilla-c7144dbf9696140d21cff87ae93ed9ddd8f07cbd.tar.bz2 volse-hubzilla-c7144dbf9696140d21cff87ae93ed9ddd8f07cbd.zip | |
use protect_sprintf() on query strings
(cherry picked from commit f9793e870f5c3c531fe48a2294782de0643a6c9b)
| -rw-r--r-- | include/text.php | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/include/text.php b/include/text.php index 99e09f81d..ac22fe565 100644 --- a/include/text.php +++ b/include/text.php @@ -3693,7 +3693,7 @@ function get_forum_channels($uid) { $xc = ids_to_querystr($x1,'xchan',true); - $x2 = q("select xchan from abconfig where chan = %d and cat = 'their_perms' and k = 'tag_deliver' and v = '1' and xchan in (" . $xc . ") ", + $x2 = q("select xchan from abconfig where chan = %d and cat = 'their_perms' and k = 'tag_deliver' and v = '1' and xchan in (" . protect_sprintf($xc) . ") ", intval($uid) ); @@ -3701,7 +3701,7 @@ function get_forum_channels($uid) { $sql_extra = (($xf) ? ' and not xchan in (' . $xf . ')' : ''); // private forums - $x3 = q("select xchan from abconfig where chan = %d and cat = 'their_perms' and k = 'post_wall' and v = '1' and xchan in (" . $xc . ") $sql_extra ", + $x3 = q("select xchan from abconfig where chan = %d and cat = 'their_perms' and k = 'post_wall' and v = '1' and xchan in (" . protect_sprintf($xc) . ") $sql_extra ", intval(local_channel()) ); if($x3) { @@ -3709,7 +3709,7 @@ function get_forum_channels($uid) { } // public forums with no permission to post - $x4 = q("select xchan from abconfig left join xchan on xchan = xchan_hash where chan = %d and cat = 'their_perms' and k in ('post_wall', 'tag_deliver') and v = '0' and xchan in (" . $xc . ") and xchan_pubforum = 1 $sql_extra ", + $x4 = q("select xchan from abconfig left join xchan on xchan = xchan_hash where chan = %d and cat = 'their_perms' and k in ('post_wall', 'tag_deliver') and v = '0' and xchan in (" . protect_sprintf($xc) . ") and xchan_pubforum = 1 $sql_extra ", intval(local_channel()) ); if($x4) { @@ -3718,7 +3718,7 @@ function get_forum_channels($uid) { } - $sql_extra_1 = (($xf) ? " and ( xchan_hash in (" . $xf . ") or xchan_pubforum = 1 ) " : " and xchan_pubforum = 1 "); + $sql_extra_1 = (($xf) ? " and ( xchan_hash in (" . protect_sprintf($xf) . ") or xchan_pubforum = 1 ) " : " and xchan_pubforum = 1 "); $r = q("select abook_id, xchan_hash, xchan_name, xchan_url, xchan_addr, xchan_photo_s from abook left join xchan on abook_xchan = xchan_hash where xchan_deleted = 0 and abook_channel = %d and abook_pending = 0 and abook_ignored = 0 and abook_blocked = 0 and abook_archived = 0 $sql_extra_1 order by xchan_name", intval($uid) |