Ignore:
Timestamp:
Oct 7, 2013, 11:52:11 PM (11 years ago)
Author:
chronos
Message:
  • Fixed: SQL injection protection was not applied because of new dynamic URL handling.
  • Fixed: HTML entities encodin for search input string.
File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Modules/Log/Log.php

    r581 r586  
    7979    if(array_key_exists('type', $_GET)) $Where = ' WHERE `Type` = "'.($_GET['type'] * 1).'"';
    8080      else $Where = '';
    81     $sql = 'SELECT *, UNIX_TIMESTAMP(`Date`) AS `TimeCreate`, (SELECT `User`.`Name` FROM `User` WHERE `User`.`ID` = `Log`.`User`) AS `UserName` FROM `Log`'.$Where.' ORDER BY `Date` DESC LIMIT 100';
     81    $sql = 'SELECT *, UNIX_TIMESTAMP(`Date`) AS `TimeCreate`, (SELECT `User`.`Name` FROM `User` WHERE `User`.`ID` = `Log`.`User`) AS `UserName` FROM `Log`'.
     82      $Where.' ORDER BY `Date` DESC LIMIT 100';
    8283    $DbResult = $this->System->Database->query($sql);
    8384    while($Line = $DbResult->fetch_assoc())
     
    9394        'Title' => $LogType['Name'].' ('.$Line['UserName'].', '.$Line['IP'].')',
    9495        'Link' => 'http://'.$this->System->Config['Web']['Host'].$this->System->Link('/log.php'),
    95         'Description' => $LogType['Name'].': '.$Line['Text'].' ('.$Line['UserName'].', '.$Line['IP'].')',
     96        'Description' => $LogType['Name'].': '.$Line['Text'].' ('.$Line['UserName'].', '.$Line['IP'].', '.$Line['TimeCreate'].')',
    9697        'Time' => $Line['TimeCreate'],
    9798      );
Note: See TracChangeset for help on using the changeset viewer.