functions.inc.php - check_owner():

- escape_string() $username and $domain to prevent SQL injections - add a TODO git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1171 a1433add-5e2c-0410-b055-b7f2511e0802
13 years ago · 0403a0a55a
parent 15fe167948
commit 0403a0a55a
1 changed files with 4 additions and 1 deletions
--- a/functions.inc.php
+++ b/functions.inc.php
@ -764,7 +764,9 @@ function divide_quota ($quota) {
 //
 function check_owner ($username, $domain) {
    global $table_domain_admins;
-    $result = db_query ("SELECT 1 FROM $table_domain_admins WHERE username='$username' AND (domain='$domain' OR domain='ALL') AND active='1'");
+    $E_username = escape_string($username);
+    $E_domain = escape_string($domain);
+    $result = db_query ("SELECT 1 FROM $table_domain_admins WHERE username='$E_username' AND (domain='$E_domain' OR domain='ALL') AND active='1'");
    if ($result['rows'] != 1) {
        if ($result['rows'] > 1) { # "ALL" + specific domain permissions. 2.3 doesn't create such entries, but they are available as leftover from older versions
            flash_error("Permission check returned more than one result. Please go to 'edit admin' for your username and press the save "
@ -773,6 +775,7 @@ function check_owner ($username, $domain) {
        return false;
    } else {
        return true;
+        # TODO: if superadmin, check if given domain exists in the database
    }
 }