mirror of
https://port.numenaute.org/aleajactaest/khanat-opennel-code.git
synced 2024-12-24 09:58:46 +00:00
Protect shard admin auth SQL queries
This commit is contained in:
parent
07eff64df5
commit
1cec88b78b
2 changed files with 9 additions and 5 deletions
|
@ -8,7 +8,7 @@
|
|||
{
|
||||
global $db;
|
||||
|
||||
$sql = "UPDATE ". NELDB_USER_TABLE ." SET user_logged_count=user_logged_count+1,user_logged_last=". time() ." WHERE user_id=". $user_id;
|
||||
$sql = "UPDATE ". NELDB_USER_TABLE ." SET user_logged_count=user_logged_count+1,user_logged_last=". time() ." WHERE user_id=". (int)$user_id;
|
||||
$db->sql_query($sql);
|
||||
}
|
||||
|
||||
|
@ -18,7 +18,7 @@
|
|||
|
||||
$data = null;
|
||||
|
||||
$sql = "SELECT * FROM ". NELDB_USER_TABLE ." LEFT JOIN ". NELDB_GROUP_TABLE ." ON (user_group_id=group_id) WHERE user_id=". $nelid;
|
||||
$sql = "SELECT * FROM ". NELDB_USER_TABLE ." LEFT JOIN ". NELDB_GROUP_TABLE ." ON (user_group_id=group_id) WHERE user_id=". (int)$nelid;
|
||||
if ($result = $db->sql_query($sql))
|
||||
{
|
||||
if ($db->sql_numrows($result))
|
||||
|
@ -34,7 +34,7 @@
|
|||
{
|
||||
global $db;
|
||||
|
||||
$sql = "SELECT user_name FROM ". NELDB_USER_TABLE ." WHERE user_id=". $group_id;
|
||||
$sql = "SELECT user_name FROM ". NELDB_USER_TABLE ." WHERE user_id=". (int)$group_id;
|
||||
if ($result = $db->sql_query($sql))
|
||||
{
|
||||
if ($db->sql_numrows($result))
|
||||
|
@ -53,7 +53,7 @@
|
|||
|
||||
$data = null;
|
||||
|
||||
$user = trim($user);
|
||||
$user = $db->sql_escape_string(trim($user));
|
||||
$passwd = md5(trim($passwd));
|
||||
|
||||
$sql = "SELECT * FROM ". NELDB_USER_TABLE ." LEFT JOIN ". NELDB_GROUP_TABLE ." ON (user_group_id=group_id) WHERE user_name='". $user ."' AND user_password='". $passwd ."' AND user_active=1 AND group_active=1";
|
||||
|
@ -120,4 +120,4 @@
|
|||
unset($NELTOOL['SESSION_VARS'][$name]);
|
||||
}
|
||||
|
||||
?>
|
||||
?>
|
||||
|
|
|
@ -251,6 +251,10 @@ class sql_db
|
|||
return false;
|
||||
}
|
||||
}
|
||||
function sql_escape_string($str)
|
||||
{
|
||||
return mysqli_real_escape_string($this->db_connect_id, $str);
|
||||
}
|
||||
function sql_error($query_id = 0)
|
||||
{
|
||||
$result["message"] = mysqli_error($this->db_connect_id);
|
||||
|
|
Loading…
Reference in a new issue