cacert
/
cacert-webdb
9
0
Fork 0
Code Issues Pull Requests 5 Projects Releases 3 Wiki Activity

Added prevention

Browse Source
pull/1/head
root 16 years ago
parent 4c0fe694ad
commit dc79c6215b
1 changed files with 7 additions and 7 deletions
Show Stats Download Patch File Download Diff File

14
includes/account.php
Unescape Escape View File

@ -129,7 +129,7 @@
$query = "update `users` set `email`='".$row['email']."' where `id`='".$_SESSION['profile']['id']."'";
mysql_query($query);
showheader(_("My CAcert.org Account!"));
printf(_("Your default email address has been updated to '%s'."), $row['email']);
printf(_("Your default email address has been updated to '%s'."), sanitizeHTML($row['email']));
showfooter();
exit;
}
@ -1948,7 +1948,7 @@
{
mysql_query("insert into `orgdomains` set `orgid`='".intval($_SESSION['_config']['orgid'])."', `domain`='$domain'");
showheader(_("My CAcert.org Account!"));
printf(_("'%s' has just been successfully added to the database."), $domain);
printf(_("'%s' has just been successfully added to the database."), sanitizeHTML($domain));
echo "<br><br><a href='account.php?id=26&orgid=".intval($_SESSION['_config']['orgid'])."'>"._("Click here")."</a> "._("to continue.");
showfooter();
exit;
@ -1962,7 +1962,7 @@
$res2 = mysql_query("select * from `domains` where `domain` like '$domain' and `deleted`=0");
if(mysql_num_rows($res1) > 0 || mysql_num_rows($res2) > 0)
{
$_SESSION['_config']['errmsg'] = sprintf(_("The domain '%s' is already in the system and is listed as valid. Can't continue."), $domain);
$_SESSION['_config']['errmsg'] = sprintf(_("The domain '%s' is already in the system and is listed as valid. Can't continue."), sanitizeHTML($domain));
$id = $oldid;
$oldid=0;
}
@ -1992,7 +1992,7 @@
$row = mysql_fetch_assoc(mysql_query("select * from `orgdomains` where `id`='".intval($_SESSION['_config']['domid'])."'"));
mysql_query("update `orgdomains` set `domain`='$domain' where `id`='".intval($_SESSION['_config']['domid'])."'");
showheader(_("My CAcert.org Account!"));
printf(_("'%s' has just been successfully updated in the database."), $domain);
printf(_("'%s' has just been successfully updated in the database."), sanitizeHTML($domain));
echo "<br><br><a href='account.php?id=26&orgid=".intval($_SESSION['_config']['orgid'])."'>"._("Click here")."</a> "._("to continue.");
showfooter();
exit;
@ -2004,7 +2004,7 @@
$domain = $row['domain'];
mysql_query("delete from `orgdomains` where `id`='".intval($_SESSION['_config']['domid'])."'");
showheader(_("My CAcert.org Account!"));
printf(_("'%s' has just been successfully deleted from the database."), $domain);
printf(_("'%s' has just been successfully deleted from the database."), sanitizeHTML($domain));
echo "<br><br><a href='account.php?id=26&orgid=".intval($_SESSION['_config']['orgid'])."'>"._("Click here")."</a> "._("to continue.");
showfooter();
exit;
@ -2096,7 +2096,7 @@
{
$id = $oldid;
$oldid=0;
$_SESSION['_config']['errmsg'] = sprintf(_("Wasn't able to match '%s' against any user in the system"), $_REQUEST['email']);
$_SESSION['_config']['errmsg'] = sprintf(_("Wasn't able to match '%s' against any user in the system"), sanitizeHTML($_REQUEST['email']));
} else {
$row = mysql_fetch_assoc($res);
mysql_query("insert into `org` set `memid`='".$row['id']."', `orgid`='".intval($_SESSION['_config']['orgid'])."',
@ -2374,7 +2374,7 @@
} else {
mysql_query("update `users` set `password`=sha1('".mysql_real_escape_string(stripslashes($_REQUEST['newpass']))."') where `id`='".intval($_REQUEST['userid'])."'");
$row = mysql_fetch_assoc(mysql_query("select * from `users` where `id`='".$_REQUEST['userid']."'"));
printf(_("The password for %s has been updated successfully in the system."), $row['email']);
printf(_("The password for %s has been updated successfully in the system."), sanitizeHTML($row['email']));
$body = sprintf(_("Hi %s,"),$row['fname'])."\n";

Write Preview
Loading…
Cancel
Save