From: Janusz Dobrowolski Date: Sun, 9 Sep 2012 07:42:04 +0000 (+0200) Subject: Security cleanups in access roles and db_pager. X-Git-Url: https://delta.frontaccounting.com/gitweb/?a=commitdiff_plain;h=fda301ac04fce9bd200cc4e5cd93edeacc6217bc;p=textcart.git Security cleanups in access roles and db_pager. --- diff --git a/admin/security_roles.php b/admin/security_roles.php index 2727af4..f8b4455 100644 --- a/admin/security_roles.php +++ b/admin/security_roles.php @@ -90,10 +90,10 @@ if (get_post('addupdate')) if (($a&~0xffff) && (($a&0xff00)<(99<<8))) { $sections[] = $a&~0xff; // add extended section for plugins } - $areas[] = $a; + $areas[] = (int)$a; } if (substr($p,0,7) == 'Section') - $sections[] = substr($p, 7); + $sections[] = (int)substr($p, 7); } // $areas = sort_areas($areas); diff --git a/includes/db_pager.inc b/includes/db_pager.inc index 64a79ed..36afb92 100644 --- a/includes/db_pager.inc +++ b/includes/db_pager.inc @@ -283,7 +283,9 @@ class db_pager { } if (count($ord)) { - $sql .= " ORDER BY " . implode($ord, ','); + $ord = array_map(function_exists('mysql_real_escape_string') ? + 'mysql_real_escape_string': 'mysql_escape_string', $ord); + $sql .= " ORDER BY " . implode(',', $ord); } else { if($order) $sql .= " ORDER BY $order"; // original base query order