Fixed some XSS and SQL injection issues
| | |
| | | else if ($ERROR_CODE==404) |
| | | { |
| | | $__error_title = "REQUEST FAILED/FILE NOT FOUND"; |
| | | $request_url = $_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']; |
| | | $request_url = htmlentities($_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']); |
| | | $__error_text = <<<EOF |
| | | The requested page was not found!<br /> |
| | | Please contact your server-administrator. |
| | |
| | | |
| | | if (($_GET['_iid'] || $_POST['_iid']) && $_action=='edit-identity') |
| | | { |
| | | $id = $_POST['_iid'] ? $_POST['_iid'] : $_GET['_iid']; |
| | | $DB->query("SELECT * FROM ".get_table_name('identities')." |
| | | WHERE identity_id=? |
| | | AND user_id=? |
| | | AND del<>1", |
| | | $id, |
| | | get_input_value('_iid', RCUBE_INPUT_GPC), |
| | | $_SESSION['user_id']); |
| | | |
| | | $IDENTITY_RECORD = $DB->fetch_assoc(); |
| | |
| | | WHERE identity_id=? |
| | | AND user_id=? |
| | | AND del<>1", |
| | | $_POST['_iid'], |
| | | get_input_value('_iid', RCUBE_INPUT_POST), |
| | | $_SESSION['user_id']); |
| | | |
| | | $updated = $DB->affected_rows(); |
| | |
| | | AND identity_id<>? |
| | | AND del<>1", |
| | | $_SESSION['user_id'], |
| | | $_POST['_iid']); |
| | | get_input_value('_iid', RCUBE_INPUT_POST)); |
| | | |
| | | if ($_POST['_framed']) |
| | | { |