From 92decf4f2ddb0c822e8d333ae66f4014f0bee253 Mon Sep 17 00:00:00 2001 From: Andrew Dolgov Date: Tue, 22 Nov 2011 10:43:24 +0400 Subject: [PATCH] properly escape login and password in login_sequence() (refs #392) --- functions.php | 4 ++-- modules/pref-prefs.php | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/functions.php b/functions.php index 498750851..10f8e034e 100644 --- a/functions.php +++ b/functions.php @@ -2110,8 +2110,8 @@ # try to authenticate user if called from login form if ($login_action == "do_login") { - $login = $_POST["login"]; - $password = $_POST["password"]; + $login = db_escape_string($_POST["login"]); + $password = db_escape_string($_POST["password"]); $remember_me = $_POST["remember_me"]; if (authenticate_user($link, $login, $password)) { diff --git a/modules/pref-prefs.php b/modules/pref-prefs.php index 838c722c3..2ab79db01 100644 --- a/modules/pref-prefs.php +++ b/modules/pref-prefs.php @@ -21,9 +21,9 @@ if ($subop == "change-password") { - $old_pw = $_POST["old_password"]; - $new_pw = $_POST["new_password"]; - $con_pw = $_POST["confirm_password"]; + $old_pw = db_escape_string($_POST["old_password"]); + $new_pw = db_escape_string($_POST["new_password"]); + $con_pw = db_escape_string($_POST["confirm_password"]); if ($old_pw == "") { print "ERROR: ".__("Old password cannot be blank.");