admin/Facilitor
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

PNBR#41284 SQL-injection voorkomen

Browse Source 
svn path=/Website/trunk/; revision=34970
This commit is contained in:
Koen Reefman
2017-08-17 07:33:07 +00:00
parent bcbcf30991
commit 445b59b99a
2 changed files with 9 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
APPL/FAC/fac_edit_faq.asp
View File

@@ -115,17 +115,17 @@ else
BLOCK_END(); BLOCK_END();
BLOCK_START("mldInfo", L("lcl_faq_itemadm")); BLOCK_START("mldInfo", L("lcl_faq_itemadm"));
var sql= " SELECT 1, " + safe.quoted_sql(L("lcl_faq_level1")) + " FROM DUAL" var sql = " SELECT 1, " + safe.qL("lcl_faq_level1") + " FROM DUAL"
+ " UNION ALL SELECT 2, " + safe.quoted_sql(L("lcl_faq_level2")) + " FROM DUAL" + " UNION ALL SELECT 2, " + safe.qL("lcl_faq_level2") + " FROM DUAL"
+ " UNION ALL SELECT 3, " + safe.quoted_sql(L("lcl_faq_level3")) + " FROM DUAL" + " UNION ALL SELECT 3, " + safe.qL("lcl_faq_level3") + " FROM DUAL"
FCLTselector("fac_faq_level", sql, FCLTselector("fac_faq_level", sql,
{ initKey: level, { initKey: level,
label: L("lcl_faq_level") label: L("lcl_faq_level")
}); });
var displaySql = " SELECT 0, '" + L("lcl_faq_display_popup") + "' FROM DUAL UNION ALL " var displaySql = " SELECT 0, " + safe.qL("lcl_faq_display_popup") + " FROM DUAL"
+ " SELECT 1, '" + L("lcl_faq_display_screen") + "' FROM DUAL UNION ALL " + " UNION ALL SELECT 1, " + safe.qL("lcl_faq_display_screen") + " FROM DUAL"
+ " SELECT 2, '" + L("lcl_faq_display_both_edit")+ "' FROM DUAL"; + " UNION ALL SELECT 2, " + safe.qL("lcl_faq_display_both_edit") + " FROM DUAL";
FCLTselector("fac_faq_displaymode", FCLTselector("fac_faq_displaymode",
displaySql, displaySql,

6
APPL/FAC/fac_show_faq.asp
View File

@@ -141,9 +141,9 @@ var canChange = canWriteFAQBOF || (canWriteFAQFOF && datum == null)
BLOCK_START("mldInfo", L("lcl_faq_itemadm")); BLOCK_START("mldInfo", L("lcl_faq_itemadm"));
ROFIELDTR("fld", L("lcl_faq_level"), fac.getfaqleveltext(level)); ROFIELDTR("fld", L("lcl_faq_level"), fac.getfaqleveltext(level));
var displaySql = " SELECT 0, '" + L("lcl_faq_display_popup") + "' FROM DUAL UNION ALL " var displaySql = " SELECT 0, " + safe.qL("lcl_faq_display_popup") + " FROM DUAL"
+ " SELECT 1, '" + L("lcl_faq_display_screen") + "' FROM DUAL UNION ALL " + " UNION ALL SELECT 1, " + safe.qL("lcl_faq_display_screen") + " FROM DUAL"
+ " SELECT 2, '" + L("lcl_faq_display_both_show")+ "' FROM DUAL"; + " UNION ALL SELECT 2, " + safe.qL("lcl_faq_display_both_show") + " FROM DUAL";
FCLTselector("fld", FCLTselector("fld",
displaySql, displaySql,