[geeklog-cvs] geeklog: Filter OAuth user data just like we do for My Account (...
geeklog-cvs at lists.geeklog.net
geeklog-cvs at lists.geeklog.net
Fri Apr 22 09:29:30 EDT 2011
changeset 8241:48b635b65c7d
url: http://project.geeklog.net/cgi-bin/hgwebdir.cgi/geeklog/rev/48b635b65c7d
user: Dirk Haun <dirk at haun-online.de>
date: Fri Apr 22 15:28:33 2011 +0200
description:
Filter OAuth user data just like we do for My Account (cf. bug #0001322)
diffstat:
system/classes/oauthhelper.class.php | 10 +++++-----
1 files changed, 5 insertions(+), 5 deletions(-)
diffs (42 lines):
diff -r c2d9be7b0464 -r 48b635b65c7d system/classes/oauthhelper.class.php
--- a/system/classes/oauthhelper.class.php Fri Apr 22 14:07:18 2011 +0200
+++ b/system/classes/oauthhelper.class.php Fri Apr 22 15:28:33 2011 +0200
@@ -205,21 +205,21 @@
if (is_array($users)) {
$sql = "UPDATE {$_TABLES['users']} SET ";
if (!empty($users['fullname'])) {
- $fn = addslashes($users['fullname']);
+ $fn = addslashes(strip_tags($users['fullname']));
$updatecolumns .= "fullname='$fn'";
}
if (!empty($users['email'])) {
if (!empty($updatecolumns)) {
$updatecolumns .= ", ";
}
- $em = addslashes($users['email']);
+ $em = addslashes(COM_applyFilter($users['email']));
$updatecolumns .= "email='$em'";
}
if (!empty($users['homepage'])) {
if (!empty($updatecolumns)) {
$updatecolumns .= ", ";
}
- $hp = addslashes($users['homepage']);
+ $hp = addslashes(COM_applyFilter($users['homepage']));
$updatecolumns .= "homepage='$hp'";
}
$sql = $sql . $updatecolumns . " WHERE uid={$_USER['uid']}";
@@ -344,11 +344,11 @@
// COM_errorLog("userinfo[location]={$userinfo['location']}");
$sql = "UPDATE {$_TABLES['userinfo']} SET";
if (! empty($userinfo['about'])) {
- $sql .= " about = '" . addslashes($userinfo['about']) . "'";
+ $sql .= " about = '" . addslashes(strip_tags($userinfo['about'])) . "'";
}
$sql .= (!empty($userinfo['about']) && !empty($userinfo['location'])) ? "," : "";
if (! empty($userinfo['location'])) {
- $sql .= " location = '" . addslashes($userinfo['location']) . "'";
+ $sql .= " location = '" . addslashes(strip_tags($userinfo['location'])) . "'";
}
$sql .= " WHERE uid = {$uid}";
// COM_errorLog("sql={$sql}");
More information about the geeklog-cvs
mailing list