Skip to content

Commit

Permalink
Fix an SQL injection situation.
Browse files Browse the repository at this point in the history 
Reported by: Christian Inci - https://github.com/chris-pcguy
  • Loading branch information
@dlangille
dlangille committed Mar 18, 2023
1 parent 9a9753b commit 08fbb1d
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions www/graphs/graph.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ function FreshPortsChart($title, $axislabel, $values, $labels, $urls, $file = "-
// parameters:
// id=number of graph

$id = pg_escape_string($db, $_REQUEST["id"]);
$id = intval(pg_escape_string($db, $_REQUEST["id"]));

// assume that we always have graph of id=0
if (!isset($id)) $id=0;
Expand All @@ -55,7 +55,7 @@ function FreshPortsChart($title, $axislabel, $values, $labels, $urls, $file = "-

// XXX CHANGE THE QUERY XXX
$data = @pg_exec($db, "select query, title, label, is_clickable from graphs where id = $id")
or die("PGERR 1: " . pg_ErrorMessage());
or die("PGERR 1: " . pg_ErrorMessage($db));

if (pg_num_rows($data) == 0)
die("GRAPH: invalid id");
Expand Down

0 comments on commit 08fbb1d

Please sign in to comment.