chamilo
/
chamilo-lms
mirror of https://github.com/chamilo/chamilo-lms/tree/1.11.x
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Adding Database::escape_string() see https://support.chamilo.org/projects/chamilo-18/wiki/Security_issues

Browse Source
1.9.x
Julio Montoya 12 years ago
parent cc26d1667d
commit 324ee13ef6
1 changed files with 2 additions and 1 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 3
      main/auth/profile.php

3
main/auth/profile.php
Unescape View File

@ -358,12 +358,13 @@ function upload_user_production($user_id) {
* @return bool true o false * @return bool true o false
* @uses Gets user ID from global variable * @uses Gets user ID from global variable
*/ */
function check_user_password($password){ function check_user_password($password) {
global $_user; global $_user;
$user_id = api_get_user_id(); $user_id = api_get_user_id();
if ($user_id != strval(intval($user_id)) || empty($password)) { return false; } if ($user_id != strval(intval($user_id)) || empty($password)) { return false; }
$table_user = Database :: get_main_table(TABLE_MAIN_USER); $table_user = Database :: get_main_table(TABLE_MAIN_USER);
$password = api_get_encrypted_password($password); $password = api_get_encrypted_password($password);
$password = Database::escape_string($password);
$sql_password = "SELECT * FROM $table_user WHERE user_id='".$user_id."' AND password='".$password."'"; $sql_password = "SELECT * FROM $table_user WHERE user_id='".$user_id."' AND password='".$password."'";
$result = Database::query($sql_password); $result = Database::query($sql_password);
return Database::num_rows($result) != 0; return Database::num_rows($result) != 0;

Write Preview
Loading…
Cancel
Save