moodle/moodle
3
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-08-05 00:46:50 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

MDL-15184: fix sql injection vulnerability

Browse source
This commit is contained in:
gbateson 2008-07-01 10:49:22 +00:00
parent 36ea9a6c98
commit e5e02e4686
1 changed files with 8 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

12
mod/hotpot/report.php
View file

@ -380,10 +380,14 @@ function hotpot_delete_selected_attempts(&$hotpot, $del) {
$select = "hotpot=:hotpotid AND status=".HOTPOT_STATUS_ABANDONED; $select = "hotpot=:hotpotid AND status=".HOTPOT_STATUS_ABANDONED;
break; break;
case 'selection': case 'selection':
$ids = (array)data_submitted(); $ids = array();
unset($ids['del']); $data = (array)data_submitted();
unset($ids['id']); foreach ($data as $name => $value) {
if (!empty($ids)) { if (preg_match('/^box\d+$/', $name)) {
$ids[] = intval($value);
}
}
if (count($ids)) {
list($ids, $idparams) = $DB->get_in_or_equal($ids, SQL_PARAMS_NAMED, 'crid0'); list($ids, $idparams) = $DB->get_in_or_equal($ids, SQL_PARAMS_NAMED, 'crid0');
$params = array_merge($params, $idparams); $params = array_merge($params, $idparams);
$select = "hotpot=:hotpotid AND clickreportid $ids"; $select = "hotpot=:hotpotid AND clickreportid $ids";