From f516626a293edd613cb823db88e36dcf7e1fb8f4 Mon Sep 17 00:00:00 2001
From: Dries Buytaert <dries@buytaert.net>
Date: Wed, 7 Mar 2001 21:29:40 +0000
Subject: A rather large and important update:

revised most of the SQL queries and tried to make drupal as secure as possible (while trying to avoid redundant/duplicate checks).  For drupal's sake, try to screw something up.  See the mail about PHPNuke being hacked appr. 6 days ago.  The one who finds a problem is rewarded a beer (and I'm willing to ship it to Norway if required).  I beg you to be evil.  Try dumping a table a la "http://localhost/index.php?date=77778;DROP TABLE users" or something. ;)
---
 modules/section.module | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'modules/section.module')

diff --git a/modules/section.module b/modules/section.module
index af07100f5..42ad6e4d5 100644
--- a/modules/section.module
+++ b/modules/section.module
@@ -102,7 +102,7 @@ function section_display() {
 
 function section_display_save($edit) {
   foreach ($edit as $key=>$value) {
-    db_query("UPDATE sections SET status = '". $value[status] ."', post = '". $value[post] ."', dump = '". $value[dump] ."', timout = '". $value[timout] ."' WHERE name = '$key'");
+    db_query("UPDATE sections SET status = '". check_input($value[status]) ."', post = '". check_input($value[post]) ."', dump = '". check_input($value[dump]) ."', timout = '". check_input($value[timout]) ."' WHERE name = '". check_input($key) ."'");
   }
 }
 
@@ -119,7 +119,7 @@ function section_admin() {
       section_help();
       break;
     case "delete":
-      section_delete($name);
+      section_delete(check_input($name));
       section_display();
       break;
     case "Add section":
-- 
cgit v1.2.3