From 479f8616e13c41bd15b020d7aa49bb61e48951b6 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Tue, 21 May 2019 14:03:28 +0200 Subject: [PATCH] Fix sanitize data --- htdocs/admin/external_rss.php | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/htdocs/admin/external_rss.php b/htdocs/admin/external_rss.php index 048d002a3b7..c4dd642dfee 100644 --- a/htdocs/admin/external_rss.php +++ b/htdocs/admin/external_rss.php @@ -66,8 +66,8 @@ else if ($action == 'add' || GETPOST("modify")) { - $external_rss_title = "external_rss_title_" . GETPOST("norss"); - $external_rss_urlrss = "external_rss_urlrss_" . GETPOST("norss"); + $external_rss_title = "external_rss_title_" . GETPOST("norss", 'int'); + $external_rss_urlrss = "external_rss_urlrss_" . GETPOST("norss", 'int'); if (! empty($_POST[$external_rss_urlrss])) { @@ -95,7 +95,7 @@ if ($action == 'add' || GETPOST("modify")) { // Ajoute boite box_external_rss dans definition des boites $sql = "INSERT INTO ".MAIN_DB_PREFIX."boxes_def (file, note)"; - $sql.= " VALUES ('box_external_rss.php','".$db->escape(GETPOST("norss").' ('.GETPOST($external_rss_title)).")')"; + $sql.= " VALUES ('box_external_rss.php','".$db->escape(GETPOST("norss", 'int').' ('.GETPOST($external_rss_title, 'alpha')).")')"; if (! $db->query($sql)) { dol_print_error($db); @@ -103,8 +103,8 @@ if ($action == 'add' || GETPOST("modify")) } } - $result1=dolibarr_set_const($db, "EXTERNAL_RSS_TITLE_" . GETPOST("norss"),GETPOST($external_rss_title),'chaine',0,'',$conf->entity); - if ($result1) $result2=dolibarr_set_const($db, "EXTERNAL_RSS_URLRSS_" . GETPOST("norss"),GETPOST($external_rss_urlrss),'chaine',0,'',$conf->entity); + $result1=dolibarr_set_const($db, "EXTERNAL_RSS_TITLE_" . GETPOST("norss", 'int'), GETPOST($external_rss_title, 'alpha'), 'chaine', 0, '', $conf->entity); + if ($result1) $result2=dolibarr_set_const($db, "EXTERNAL_RSS_URLRSS_" . GETPOST("norss", 'int'), GETPOST($external_rss_urlrss, 'alpha'), 'chaine', 0, '', $conf->entity); if ($result1 && $result2) { @@ -122,13 +122,13 @@ if ($action == 'add' || GETPOST("modify")) if ($_POST["delete"]) { - if(GETPOST("norss")) + if (GETPOST("norss", 'int')) { $db->begin(); // Supprime boite box_external_rss de definition des boites $sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."boxes_def"; - $sql.= " WHERE file = 'box_external_rss.php' AND note LIKE '".$db->escape(GETPOST("norss"))." %'"; + $sql.= " WHERE file = 'box_external_rss.php' AND note LIKE '".$db->escape(GETPOST("norss", 'int'))." %'"; $resql=$db->query($sql); if ($resql) @@ -168,8 +168,8 @@ if ($_POST["delete"]) } - $result1=dolibarr_del_const($db,"EXTERNAL_RSS_TITLE_" . GETPOST("norss"),$conf->entity); - if ($result1) $result2=dolibarr_del_const($db,"EXTERNAL_RSS_URLRSS_" . GETPOST("norss"),$conf->entity); + $result1=dolibarr_del_const($db,"EXTERNAL_RSS_TITLE_" . GETPOST("norss", 'int'), $conf->entity); + if ($result1) $result2=dolibarr_del_const($db,"EXTERNAL_RSS_URLRSS_" . GETPOST("norss", 'int'), $conf->entity); if ($result1 && $result2) { @@ -270,13 +270,13 @@ if ($resql) print ''; print "".$langs->trans("Title").""; - print "global->$keyrsstitle . "\">"; + print "global->$keyrsstitle) . "\">"; print ""; print ''; print "".$langs->trans("URL").""; - print "global->$keyrssurl . "\">"; + print "global->$keyrssurl) . "\">"; print "";