Register | Login | |||||
Main
| Memberlist
| Active users
| Calendar
| Chat
| Online users Ranks | FAQ | ACS | Stats | Color Chart | Search | Photo album |
| |
0 users currently in Programming. |
User | Post |
Ikuzou Posts: 14/18 |
Xkeeper+:
Could you please give me a copy too please? I want to examine the board... |
Xkeeper Posts: 855/5653 |
I don't see why that isn't being filtered right now... |
Parasyte + Posts: 1/53 |
You forgot a few. |
Lord SkyLart Posts: 64/307 |
Ok. Thanks for the info. |
Ice Man Posts: 65/348 |
It works for both, you just have to know where to place it. |
Lord SkyLart Posts: 63/307 |
Originally posted by smweditOne question is that for 1.a2 or 1.92. I am thinking 1.92. |
Sakura Posts: 23/227 |
Just ignore him, mmvent has no clue about what he's saying. |
smwedit Posts: 10/62 |
Originally posted by mvent2mine was to prevent people from using auto submitting forms to force an administrator to make a user owner |
Xkeeper Posts: 355/5653 |
Try actually looking at the code. |
mvent2 Posts: 13/76 |
WTF? How does it work? |
Xkeeper Posts: 354/5653 |
Originally posted by mvent2 That provides no extra protection at all. |
mvent2 Posts: 12/76 |
No need for that thepass at all. Replace
if($_POST[action]=='saveprofile'){ with if($_POST[action]=='saveprofile' && $isadmin){ and that provides the same level of protection. |
Xkeeper Posts: 308/5653 |
Well there it goes, I fired off two test copies to Randy and Darkslaya, and then one to (obviously) Acmlm,...
*X shrugs |
Xkeeper Posts: 306/5653 |
pity that method was obsoleted |
smwedit Posts: 8/62 |
this is similar to what I use and it works
to prevent basic sql injection: in edituser.php, find: $birthday=mktime(0,0,0,$bmonth,$bday,$byear); add above it: $numposts = intval($numposts); $pemail = intval($pemail); $powerlevel = intval($powerlevel); $posttool = intval($posttool); $useranks = intval($useranks); $userid = intval($userid); $postsperpage = intval($postsperpage); $threadsperpage = intval($postsperpage); $timezone = intval($timezone); $icq = intval($icq); $sex = intval($sex); and to prevent auto submitting: find: $inph=userid VALUE=$id> add above or under it: $inph=thepass VALUE='$loguser[password]'> and find: if($_POST[action]=='saveprofile'){ change it to: if($_POST[action]=='saveprofile' and $thepass==$loguser[password]){ |
DarkSlaya Posts: 94/936 |
Originally posted by ExKay I'd appreciate, too. |
Xkeeper Posts: 257/5653 |
I can give you the latest version, if you don't mind a horribly (in)complete version that still has a lot of misplaced floating code. |
Randy53215 Posts: 25/726 |
This thread is to be dedicated to hole fixes that are in distro's.
If you know of a hole we would appreciate you reporting it through a PM. That's all I have for now until I get the latest distro of the board. [sticky] |