[geeklog-cvs] geeklog: Filter OAuth user data just like we do for My Account (...

geeklog-cvs at lists.geeklog.net geeklog-cvs at lists.geeklog.net
Fri Apr 22 09:29:30 EDT 2011 

changeset 8241:48b635b65c7d
url:  http://project.geeklog.net/cgi-bin/hgwebdir.cgi/geeklog/rev/48b635b65c7d
user: Dirk Haun <dirk at haun-online.de>
date: Fri Apr 22 15:28:33 2011 +0200
description:
Filter OAuth user data just like we do for My Account (cf. bug #0001322)

diffstat:

 system/classes/oauthhelper.class.php |  10 +++++-----
 1 files changed, 5 insertions(+), 5 deletions(-)

diffs (42 lines):

diff -r c2d9be7b0464 -r 48b635b65c7d system/classes/oauthhelper.class.php
--- a/system/classes/oauthhelper.class.php	Fri Apr 22 14:07:18 2011 +0200
+++ b/system/classes/oauthhelper.class.php	Fri Apr 22 15:28:33 2011 +0200
@@ -205,21 +205,21 @@
         if (is_array($users)) {
             $sql = "UPDATE {$_TABLES['users']} SET ";
             if (!empty($users['fullname'])) {
-                $fn = addslashes($users['fullname']);
+                $fn = addslashes(strip_tags($users['fullname']));
                 $updatecolumns .= "fullname='$fn'";
             }
             if (!empty($users['email'])) {
                 if (!empty($updatecolumns)) {
                     $updatecolumns .= ", ";
                 }
-                $em = addslashes($users['email']);
+                $em = addslashes(COM_applyFilter($users['email']));
                 $updatecolumns .= "email='$em'";
             }
             if (!empty($users['homepage'])) {
                 if (!empty($updatecolumns)) {
                     $updatecolumns .= ", ";
                 }
-                $hp = addslashes($users['homepage']);
+                $hp = addslashes(COM_applyFilter($users['homepage']));
                 $updatecolumns .= "homepage='$hp'";
             }
             $sql = $sql . $updatecolumns . " WHERE uid={$_USER['uid']}";
@@ -344,11 +344,11 @@
             // COM_errorLog("userinfo[location]={$userinfo['location']}");
             $sql = "UPDATE {$_TABLES['userinfo']} SET";
             if (! empty($userinfo['about'])) {
-                $sql .= " about = '" . addslashes($userinfo['about']) . "'";
+                $sql .= " about = '" . addslashes(strip_tags($userinfo['about'])) . "'";
             }
             $sql .= (!empty($userinfo['about']) && !empty($userinfo['location'])) ? "," : "";
             if (! empty($userinfo['location'])) {
-                $sql .= " location = '" . addslashes($userinfo['location']) . "'";
+                $sql .= " location = '" . addslashes(strip_tags($userinfo['location'])) . "'";
             }
             $sql .= " WHERE uid = {$uid}";
             // COM_errorLog("sql={$sql}");

More information about the geeklog-cvs mailing list