SECURITY: Comments: fix poor sanitization of subject on initial submit
authorDan
Fri, 21 Aug 2009 11:47:26 -0400
changeset 1085 3343a05e7e5b
parent 1084 742cb0f10766
child 1086 6a59951b70e4
SECURITY: Comments: fix poor sanitization of subject on initial submit
includes/comment.php
--- a/includes/comment.php	Thu Aug 20 21:15:19 2009 -0400
+++ b/includes/comment.php	Fri Aug 21 11:47:26 2009 -0400
@@ -312,6 +312,7 @@
           $subj = htmlspecialchars($data['subj']);
           $text = RenderMan::preprocess_text($data['text'], true, false);
           $src = $text;
+          $sql_subj = $db->escape($subj);
           $sql_text = $db->escape($text);
           $text = RenderMan::render($text);
           $appr = ( getConfig('approve_comments', '0') == '1' ) ? COMMENT_UNAPPROVED : COMMENT_APPROVED;
@@ -325,7 +326,7 @@
           
           // Send it to the database
           $q = $db->sql_query('INSERT INTO '.table_prefix.'comments(page_id,namespace,name,subject,comment_data,approved, time, user_id, ip_address) VALUES' . "\n  " .
-                             "('$this->page_id', '$this->namespace', '$name', '$subj', '$sql_text', $appr, $time, {$session->user_id}, '$ip');");
+                             "('$this->page_id', '$this->namespace', '$name', '$sql_subj', '$sql_text', $appr, $time, {$session->user_id}, '$ip');");
           if(!$q)
             $db->die_json();