// Default admin action is the overview page
$what = 'overview';
} else {
- // Compile out some chars
- $what = compileCode($what, false, false, false);
+ // Secure it
+ $what = secureString($what);
}
// Get action value
// Shall we process this id? It muss not be empty, of course
if (($skip === false) && (!empty($id)) && (!isset($GLOBALS['skip_config'][$id]))) {
- // Save this entry
- $val = compileCode($val);
-
// Translate the value? (comma to dot!)
if ((is_array($translateComma)) && (in_array($id, $translateComma))) {
// Then do it here... :)
// Init output
$OUT = '';
- // Compile out security characters (must be for looking up!)
- $email = compileCode($email);
-
// Look up administator login
$result = SQL_QUERY_ESC("SELECT `id`, `login`, `password` FROM `{?_MYSQL_PREFIX?}_admins` WHERE `email`='%s' LIMIT 1",
array($email), __FUNCTION__, __LINE__);
// By default nothing validates... ;)
$valid = false;
- // Compile the login for lookup
- $login = compileCode($login);
-
// Then try to find that user
$result = SQL_QUERY_ESC("SELECT `id`, `password`, `email` FROM `{?_MYSQL_PREFIX?}_admins` WHERE `login`='%s' LIMIT 1",
- array($login), __FUNCTION__, __LINE__);
+ array($login), __FUNCTION__, __LINE__);
// Is an account here?
if (SQL_NUMROWS($result) == 1) {
$content = SQL_FETCHARRAY($result);
// Generate hash again
- $hashFromData = generateHash(getConfig('URL').':'.$content['id'].':'.$login.':'.$content['password'], substr($content['password'], 10));
+ $hashFromData = generateHash(getConfig('URL') . ':' . $content['id'] . ':' . $login . ':' . $content['password'], substr($content['password'], 10));
// Does both match?
$valid = ($hash == $hashFromData);