diff options
author | Dries Buytaert <dries@buytaert.net> | 2000-11-13 08:17:45 +0000 |
---|---|---|
committer | Dries Buytaert <dries@buytaert.net> | 2000-11-13 08:17:45 +0000 |
commit | 9559f61fcab156477dd45f4926664b74c3c2d65d (patch) | |
tree | 4c0fb62ac3dca254a2c22023e81d50eb51e579a1 /diary.php | |
parent | d4fc1dfa888305c57f52730ba9dcec800896c004 (diff) | |
download | brdo-9559f61fcab156477dd45f4926664b74c3c2d65d.tar.gz brdo-9559f61fcab156477dd45f4926664b74c3c2d65d.tar.bz2 |
Another batch with a lot of internal updates, yet no visual changes to the
site:
- watchdog (rewrite):
+ the collected information provides more details and insights
for post-mortem research
+ input limitation
- database abstraction layer:
+ mysql errors are now verbose and is no longer displayed in a
browser - fixes a possible security risk
- admin.php:
+ updated watchdog page
+ fixed security flaw
- diary.php:
+ fixed nl2br problem
- themes:
+ fixed comment bug in all 3 themes.
- misc:
+ renamed some global variables for sake of consistency:
$sitename --> $site_name
$siteurl --> $site_url
+ added input check where (a) exploitable and (b) possible
+ added input size check
+ various small improvements
+ fixed various typoes
... and much, much more in fact.
Diffstat (limited to 'diary.php')
-rw-r--r-- | diary.php | 13 |
1 files changed, 9 insertions, 4 deletions
@@ -32,7 +32,7 @@ function diary_entry($timestamp, $text, $id = 0) { if ($id) { $output .= "<DL>\n"; $output .= " <DT><B>". date("l, F jS", $timestamp) .":</B> </DT>\n"; - $output .= " <DD><P>[ <A HREF=\"diary.php?op=edit&id=$id\">edit</A> ]</P><P>". check_output($text) ."</P></DD>\n"; + $output .= " <DD><P>[ <A HREF=\"diary.php?op=edit&id=$id\">edit</A> ]</P><P>". check_output($text, 1) ."</P></DD>\n"; $output .= "</DL>\n"; } else { @@ -144,16 +144,21 @@ function diary_submit($text, $id = 0) { global $user, $theme; if ($id) { + watchdog("message", "old diary entry updated"); db_query("UPDATE diaries SET text = '". check_input($text) ."' WHERE id = $id"); - watchdog(1, "old diary entry updated"); } else { + watchdog("diary", "new diary entry added"); db_query("INSERT INTO diaries (author, text, timestamp) VALUES ('$user->id', '". check_input($text) ."', '". time() ."')"); - watchdog(1, "new diary entry added"); } header("Location: diary.php?op=view&name=$user->userid"); } +### Security check: +if (strstr($id, " ") || strstr($name, " ")) { + watchdog("error", "diary: attempt to provide malicious input through URI"); + exit(); +} switch($op) { case "add": @@ -177,4 +182,4 @@ switch($op) { diary_overview(); } -?>
\ No newline at end of file +?> |