fix strip_tags for passwords

19 years ago · 1cc679b01b
parent 81ef702a6c
commit 1cc679b01b
3 changed files with 7 additions and 7 deletions
--- a/includes/account.php
+++ b/includes/account.php
@ -968,9 +968,9 @@

 	if($oldid == 14 && $_REQUEST['process'] != "")
 	{
-		$_SESSION['_config']['user']['oldpass'] = trim(mysql_real_escape_string(stripslashes(strip_tags($oldpassword))));
-		$_SESSION['_config']['user']['pword1'] = trim(mysql_real_escape_string(stripslashes(strip_tags($pword1))));
-		$_SESSION['_config']['user']['pword2'] = trim(mysql_real_escape_string(stripslashes(strip_tags($pword2))));
+		$_SESSION['_config']['user']['oldpass'] = trim(mysql_real_escape_string(stripslashes($oldpassword)));
+		$_SESSION['_config']['user']['pword1'] = trim(mysql_real_escape_string(stripslashes($pword1)));
+		$_SESSION['_config']['user']['pword2'] = trim(mysql_real_escape_string(stripslashes($pword2)));

 		$id = 14;
 		showheader(_("My CAcert.org Account!"));
--- a/www/index.php
+++ b/www/index.php
@ -175,7 +175,7 @@
 		$_SESSION['_config']['errmsg'] = "";

 		$email = mysql_escape_string(stripslashes(strip_tags(trim($_REQUEST['email']))));
-		$pword = mysql_escape_string(stripslashes(strip_tags(trim($_REQUEST['pword']))));
+		$pword = mysql_escape_string(stripslashes(trim($_REQUEST['pword'])));
 		$query = "select * from `users` where `email`='$email' and (`password`=old_password('$pword') or `password`=sha1('$pword') or
 						`password`=password('$pword')) and `verified`=1 and `deleted`=0";
 		$res = mysql_query($query);
@ -239,8 +239,8 @@
 		$_SESSION['signup']['day'] = intval($day);
 		$_SESSION['signup']['month'] = intval($month);
 		$_SESSION['signup']['year'] = intval($year);
-		$_SESSION['signup']['pword1'] = trim(mysql_escape_string(stripslashes(strip_tags($pword1))));
-		$_SESSION['signup']['pword2'] = trim(mysql_escape_string(stripslashes(strip_tags($pword2))));
+		$_SESSION['signup']['pword1'] = trim(mysql_escape_string(stripslashes($pword1)));
+		$_SESSION['signup']['pword2'] = trim(mysql_escape_string(stripslashes($pword2)));
 		$_SESSION['signup']['Q1'] = trim(mysql_escape_string(stripslashes(strip_tags($Q1))));
 		$_SESSION['signup']['Q2'] = trim(mysql_escape_string(stripslashes(strip_tags($Q2))));
 		$_SESSION['signup']['Q3'] = trim(mysql_escape_string(stripslashes(strip_tags($Q3))));
--- a/www/src-lic.php
+++ b/www/src-lic.php
@ -1,7 +1,7 @@
 <?
 	if($process == "Confirm, I agree to these terms and conditions" && $iagree == "yes")
 	{
-		$output_file = $fname = "cacert-20060421.tar.bz2";
+		$output_file = $fname = "cacert-20060430.tar.bz2";

 		header('Pragma: public');