Merge pull request #2206 from annando/1512-diaspora-sql

Diaspora: Fixed possible SQL injection
This commit is contained in:
Tobias Diekershoff 2015-12-27 07:02:21 +01:00
commit 06defed4cb
1 changed files with 4 additions and 4 deletions

View File

@ -805,7 +805,7 @@ function diaspora_is_redmatrix($url) {
} }
function diaspora_plink($addr, $guid) { function diaspora_plink($addr, $guid) {
$r = q("SELECT `url`, `nick`, `network` FROM `fcontact` WHERE `addr`='%s' LIMIT 1", $addr); $r = q("SELECT `url`, `nick`, `network` FROM `fcontact` WHERE `addr`='%s' LIMIT 1", dbesc($addr));
// Fallback // Fallback
if (!$r) if (!$r)
@ -2362,9 +2362,9 @@ function diaspora_signed_retraction($importer,$xml,$msg) {
// The first item in the `item` table with the parent id is the parent. However, MySQL doesn't always // The first item in the `item` table with the parent id is the parent. However, MySQL doesn't always
// return the items ordered by `item`.`id`, in which case the wrong item is chosen as the parent. // return the items ordered by `item`.`id`, in which case the wrong item is chosen as the parent.
// The only item with `parent` and `id` as the parent id is the parent item. // The only item with `parent` and `id` as the parent id is the parent item.
$p = q("select origin from item where parent = %d and id = %d limit 1", $p = q("SELECT `origin` FROM `item` WHERE `parent` = %d AND `id` = %d LIMIT 1",
$r[0]['parent'], intval($r[0]['parent']),
$r[0]['parent'] intval($r[0]['parent'])
); );
if(count($p)) { if(count($p)) {
if(($p[0]['origin']) && (! $parent_author_signature)) { if(($p[0]['origin']) && (! $parent_author_signature)) {