[geeklog-cvs] geeklog-1.3/public_html comment.php,1.66,1.67
dhaun at iowaoutdoors.org
dhaun at iowaoutdoors.org
Thu Jun 17 07:12:48 EDT 2004
Update of /var/cvs/geeklog-1.3/public_html
In directory www:/tmp/cvs-serv27788
Modified Files:
comment.php
Log Message:
Be even more paranoid about the uid ...
Index: comment.php
===================================================================
RCS file: /var/cvs/geeklog-1.3/public_html/comment.php,v
retrieving revision 1.66
retrieving revision 1.67
diff -C2 -d -r1.66 -r1.67
*** comment.php 10 Jun 2004 13:47:15 -0000 1.66
--- comment.php 17 Jun 2004 11:12:45 -0000 1.67
***************
*** 75,78 ****
--- 75,85 ----
$retval = '';
+ // never trust $uid ...
+ if (empty ($_USER['uid'])) {
+ $uid = 1;
+ } else {
+ $uid = $_USER['uid'];
+ }
+
if (empty($_USER['username']) &&
(($_CONF['loginrequired'] == 1) || ($_CONF['commentsloginrequired'] == 1))) {
***************
*** 154,158 ****
if (empty ($HTTP_POST_VARS['username'])) {
$HTTP_POST_VARS['username'] = DB_getItem ($_TABLES['users'],
! 'username', "uid = {$HTTP_POST_VARS['uid']}");
}
$thecomments = COM_getComment ($HTTP_POST_VARS, 'flat', $type,
--- 161,165 ----
if (empty ($HTTP_POST_VARS['username'])) {
$HTTP_POST_VARS['username'] = DB_getItem ($_TABLES['users'],
! 'username', "uid = $uid");
}
$thecomments = COM_getComment ($HTTP_POST_VARS, 'flat', $type,
***************
*** 375,379 ****
}
! $author = DB_getItem ($_TABLES['users'], 'username', "uid = $uid");
if (($uid <= 1) && !empty ($ipaddress)) {
// add IP address for anonymous posters
--- 382,386 ----
}
! $author = DB_getItem ($_TABLES['users'], 'username', "uid = '$uid'");
if (($uid <= 1) && !empty ($ipaddress)) {
// add IP address for anonymous posters
More information about the geeklog-cvs
mailing list