From 3ee1bb2e4f9d55f9a7abbb9dc1a3a0e17e228feb Mon Sep 17 00:00:00 2001
From: root <root@www.cacert.org>
Date: Mon, 24 Nov 2008 20:02:48 +0000
Subject: [PATCH] Added SQL Injection prevention

---
 www/alert_hash_collision.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/www/alert_hash_collision.php b/www/alert_hash_collision.php
index 81ccc09..bad60e8 100644
--- a/www/alert_hash_collision.php
+++ b/www/alert_hash_collision.php
@@ -14,13 +14,13 @@ if (!preg_match('/^(mem|org)-[0-9]+$/', @$_POST['usernym']))
 
 if (preg_match('/^mem-[0-9]+$/', @$_POST['usernym']))
 {
-  mysql_query("update emailcerts set coll_found=1 where memid='".substr(@$_POST['usernym'],4)."' and pkhash!='' and pkhash='".$_POST['pkhash']."';");
-  mysql_query("update domaincerts set coll_found=1 where memid='".substr(@$_POST['usernym'],4)."' and pkhash!='' and pkhash='".$_POST['pkhash']."';");
+  mysql_query("update emailcerts set coll_found=1 where memid='".mysql_escape_string(substr(@$_POST['usernym'],4))."' and pkhash!='' and pkhash='".$_POST['pkhash']."';");
+  mysql_query("update domaincerts set coll_found=1 where memid='".mysql_escape_string(substr(@$_POST['usernym'],4))."' and pkhash!='' and pkhash='".$_POST['pkhash']."';");
 }
 else
 {
-  mysql_query("update orgemailcerts set coll_found=1 where memid='".substr(@$_POST['usernym'],4)."' and pkhash!='' and pkhash='".$_POST['pkhash']."';");
-  mysql_query("update orgdomaincerts set coll_found=1 where memid='".substr(@$_POST['usernym'],4)."' and pkhash!='' and pkhash='".$_POST['pkhash']."';");
+  mysql_query("update orgemailcerts set coll_found=1 where memid='".mysql_escape_string(substr(@$_POST['usernym'],4))."' and pkhash!='' and pkhash='".$_POST['pkhash']."';");
+  mysql_query("update orgdomaincerts set coll_found=1 where memid='".mysql_escape_string(substr(@$_POST['usernym'],4))."' and pkhash!='' and pkhash='".$_POST['pkhash']."';");
 }
 
 //exec(REPORT_WEAK . ' ' . $_POST['usernym'] . ' ' . lower($_POST['pkhash']));