|
|
cvs: pearweb /public_html package-stats-graph.php: msg#00040php.pear.core
cellog Wed Oct 18 00:29:24 2006 UTC Modified files: /pearweb/public_html package-stats-graph.php Log: remove potential sql injection by usage of %s instead of %d (legacy from previous code - this is not new, unfortunately) # thanks ilia http://cvs.php.net/viewvc.cgi/pearweb/public_html/package-stats-graph.php?r1=1.23&r2=1.24&diff_format=u Index: pearweb/public_html/package-stats-graph.php diff -u pearweb/public_html/package-stats-graph.php:1.23 pearweb/public_html/package-stats-graph.php:1.24 --- pearweb/public_html/package-stats-graph.php:1.23 Tue Oct 17 17:55:58 2006 +++ pearweb/public_html/package-stats-graph.php Wed Oct 18 00:29:24 2006 @@ -15,7 +15,7 @@ +----------------------------------------------------------------------+ | Authors: Richard Heyes <richard@xxxxxxx> | +----------------------------------------------------------------------+ - $Id: package-stats-graph.php,v 1.23 2006/10/17 17:55:58 cellog Exp $ + $Id: package-stats-graph.php,v 1.24 2006/10/18 00:29:24 cellog Exp $ */ /* @@ -59,7 +59,7 @@ $releases = explode(',', html_entity_decode($_GET['releases'])); } -if (!is_array($releases)) { +if (!isset($releases) || !is_array($releases)) { exit; } @@ -73,14 +73,14 @@ $sql = sprintf("SELECT YEAR(yearmonth) AS dyear, MONTH(yearmonth) AS dmonth, SUM(downloads) AS downloads FROM aggregated_package_stats a, releases r - WHERE a.package_id = %s + WHERE a.package_id = %d AND r.id = a.release_id AND r.package = a.package_id AND yearmonth > (now() - INTERVAL 1 YEAR) %s GROUP BY dyear, dmonth ORDER BY dyear DESC, dmonth DESC", - $_GET['pid'], + (int) $_GET['pid'], $release_clause = $rid > 0 ? 'AND a.release_id = ' . $rid : ''); if ($result = $dbh->query($sql)) { |
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | cvs: pearweb /sql stats_updated.sql: 00040, Greg Beaver |
|---|---|
| Next by Date: | cvs: pearweb /include pear-database.php: 00040, Greg Beaver |
| Previous by Thread: | cvs: pearweb /public_html package-stats-graph.phpi: 00040, Greg Beaver |
| Next by Thread: | cvs: pearweb /public_html package-stats-graph.php: 00040, Greg Beaver |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
| News | FAQ | advertise |