mirror of
https://github.com/postfixadmin/postfixadmin.git
synced 2024-09-19 19:22:14 +02:00
fix sql injection hole where value fields were not being escaped in the stored file - (thanks to Filippo Cavallarin)
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/branches/postfixadmin-2.3@1320 a1433add-5e2c-0410-b055-b7f2511e0802
This commit is contained in:
parent
d8895ccdc2
commit
9dd00fb0a7
11
backup.php
11
backup.php
@ -49,7 +49,7 @@ $cmd = "pg_dump -c -D -f /tix/miner/miner.sql -F p -N -U postgres $db";
|
||||
$res = `$cmd`;
|
||||
// Alternate: $res = shell_exec($cmd);
|
||||
echo $res;
|
||||
*/
|
||||
*/
|
||||
|
||||
if ($_SERVER['REQUEST_METHOD'] == "GET")
|
||||
{
|
||||
@ -107,12 +107,9 @@ if ($_SERVER['REQUEST_METHOD'] == "GET")
|
||||
{
|
||||
while ($row = db_assoc ($result['result']))
|
||||
{
|
||||
foreach ($row as $key=>$val)
|
||||
{
|
||||
$fields[] = $key;
|
||||
$values[] = $val;
|
||||
}
|
||||
|
||||
$fields = array_keys($row);
|
||||
$values = array_values($row);
|
||||
$values = array_map('escape_string', $values);
|
||||
fwrite ($fh, "INSERT INTO ". $tables[$i] . " (". implode (',',$fields) . ") VALUES ('" . implode ('\',\'',$values) . "');\n");
|
||||
$fields = "";
|
||||
$values = "";
|
||||
|
Loading…
Reference in New Issue
Block a user