Wernis extension more secured

diff --git a/inc/extensions/ext-wernis.php b/inc/extensions/ext-wernis.php
index 013714a5692f74caae1fd41e391ad8bb39e74aac..13961cc2ed16af1e8f5b05cbd3237fcb1dcb1b4c 100644 (file)
--- a/inc/extensions/ext-wernis.php
+++ b/inc/extensions/ext-wernis.php
@@ -60,7 +60,7 @@ wernis_amount double(22,5) NOT NULL default '0.00000',
 wernis_timestamp varchar(10) NOT NULL default '0',
 wernis_type ENUM('IN','OUT', 'FAILED') NOT NULL default 'FAILED',
 wernis_api_message TINYTEXT,
-wernis_api_status varchar(255) NULL default NULL
+wernis_api_status varchar(255) NULL default NULL,
 KEY(userid),
 PRIMARY KEY(id)
 ) TYPE=MyISAM";

diff --git a/inc/modules/guest/what-register.php b/inc/modules/guest/what-register.php
index 03bd3a0e08a7a55b2ca5f0b3914cfc0d84c6eaa5..eaad356ca9084a95b3ff98adae6550de714d7ffa 100644 (file)
--- a/inc/modules/guest/what-register.php
+++ b/inc/modules/guest/what-register.php
@@ -306,26 +306,26 @@ array(
                'hash'    => $hash,
                'uid'     => $userid,
                'salut'   => $sex,
-               'surname' => $_POST['surname'],
-               'family'  => $_POST['family_name'],
-               'email'   => $_POST['addy'],
-               'street'  => $_POST['street_nr'],
-               'city'    => $_POST['city'],
+               'surname' => SQL_ESCAPE($_POST['surname']),
+               'family'  => SQL_ESCAPE($_POST['family_name']),
+               'email'   => SQL_ESCAPE($_POST['addy']),
+               'street'  => SQL_ESCAPE($_POST['street_nr']),
+               'city'    => SQL_ESCAPE($_POST['city']),
                'zip'     => bigintval($_POST['zip']),
                'country' => $countryData,
-               'refid'   => $_POST['refid'],
-               'pass'    => $_POST['pass1'],
+               'refid'   => SQL_ESCAPE($_POST['refid']),
+               'pass'    => SQL_ESCAPE($_POST['pass1']),
        );
 
        // Continue with birthday...
        switch (GET_LANGUAGE())
        {
        case "de":
-               $DATA['birthday'] = $_POST['day'].".".$_POST['month'].".".$_POST['year'];
+               $DATA['birthday'] = bigintval($_POST['day']).".".bigintval($_POST['month']).".".bigintval($_POST['year']);
                break;
 
        default:
-               $DATA['birthday'] = $_POST['month']."/".$_POST['day']."/".$_POST['year'];
+               $DATA['birthday'] = bigintval($_POST['month']."/".bigintval($_POST['day'])."/".bigintval($_POST['year']);
                break;
        }
 

diff --git a/inc/modules/member/what-wernis.php b/inc/modules/member/what-wernis.php
index f6ef2687f6a853dcd7eb093734a2445d608589dc..4fc5af8c21563ed07a19f4d48be625ef336cc4b6 100644 (file)
--- a/inc/modules/member/what-wernis.php
+++ b/inc/modules/member/what-wernis.php
@@ -116,6 +116,9 @@ if ((!isset($_GET['mode'])) || ($_GET['mode'] == "choose")) {
        $points = explode(".", $points);
        $points = bigintval($points[0]);
 
+       // Remove the registration fee
+       $points = $points - $_CONFIG['points_register'];
+
        // Is this enougth for a payout?
        if ($points < $_CONFIG['wernis_min_payout']) {
                // No, then abort here