Dankoo
Active Member
- Joined
- Sep 4, 2010
- Messages
- 1,007
- Reaction score
- 27
So, I've seen that a serious security update was made on rev 242, and the changes are:
system/security.php OLD
system/security.php NEW
I can't just replace it without bugs, like when creating a news:
When I use the old one, no bugs... I want to use the safer version, what should I change? Thx eace:eace:eace:eace:eace:
system/security.php OLD
Lua:
<?php
function escape($data) {
return addslashes(str_replace(chr(0xbf).chr(0x27), '', $data ));
}
foreach($_POST as $key=>$value) {
$_POST[$key.'Original'] = $value;
$_POST[$key] = escape($value);
}
if($config['engine']['enable_query_strings']) {
foreach($_GET as $key=>$value) {
$_GET[$key.'Original'] = $value;
$_GET[$key] = escape($value);
}
$_REQUEST = array_merge($_GET, $_POST);
} else {
$_REQUEST = $_POST;
}
?>
system/security.php NEW
Lua:
<?php
function __sql_regcase($string){
$max = strlen($string);
$ret = '';
for ($i = 0; $i < $max; $i++) {
$char = substr($string,$i,1);
$up = strtoupper($char);
$low = strtolower($char);
$ret .=($up != $low) ? '[' . $up . $low . ']' : $char;
}
return $ret;
}
function escape($data) {
$data = preg_replace(__sql_regcase("/(from|select|insert|delete|where|drop table|show tables|
#|\*|--|\\\\)/"),"", $data);
return $data;
}
foreach($_POST as $key=>$value) {
// What IDIOT wrote it like this???
//$_POST[$key] = escape($value);
$_POST[$key] = addslashes(escape($value));
}
if($config['engine']['enable_query_strings']) {
foreach($_GET as $key=>$value) {
$_GET[$key] = escape($value);
}
$_REQUEST = array_merge($_GET, $_POST);
} else {
$_REQUEST = $_POST;
}
?>
I can't just replace it without bugs, like when creating a news:
A PHP Error was encountered
Severity: Notice
Message: Undefined index: bodyOriginal
Filename: controllers/admin.php
Line Number: 61
A PHP Error was encountered
Severity: Notice
Message: Undefined index: titleOriginal
Filename: controllers/admin.php
Line Number: 62
A Database Error Occurred
Error Number: 1048
Column 'body' cannot be null
INSERT INTO `news` (`time`, `id`, `body`, `title`) VALUES (1290470828, '', NULL, NULL)
When I use the old one, no bugs... I want to use the safer version, what should I change? Thx eace:eace:eace:eace:eace: