Wernis extension more secured
authorRoland Häder <roland@mxchange.org>
Mon, 17 Mar 2008 12:26:18 +0000 (12:26 +0000)
committerRoland Häder <roland@mxchange.org>
Mon, 17 Mar 2008 12:26:18 +0000 (12:26 +0000)
inc/extensions/ext-wernis.php
inc/modules/guest/what-register.php
inc/modules/member/what-wernis.php

index 013714a..13961cc 100644 (file)
@@ -60,7 +60,7 @@ wernis_amount double(22,5) NOT NULL default '0.00000',
 wernis_timestamp varchar(10) NOT NULL default '0',
 wernis_type ENUM('IN','OUT', 'FAILED') NOT NULL default 'FAILED',
 wernis_api_message TINYTEXT,
-wernis_api_status varchar(255) NULL default NULL
+wernis_api_status varchar(255) NULL default NULL,
 KEY(userid),
 PRIMARY KEY(id)
 ) TYPE=MyISAM";
index 03bd3a0..eaad356 100644 (file)
@@ -306,26 +306,26 @@ array(
                'hash'    => $hash,
                'uid'     => $userid,
                'salut'   => $sex,
-               'surname' => $_POST['surname'],
-               'family'  => $_POST['family_name'],
-               'email'   => $_POST['addy'],
-               'street'  => $_POST['street_nr'],
-               'city'    => $_POST['city'],
+               'surname' => SQL_ESCAPE($_POST['surname']),
+               'family'  => SQL_ESCAPE($_POST['family_name']),
+               'email'   => SQL_ESCAPE($_POST['addy']),
+               'street'  => SQL_ESCAPE($_POST['street_nr']),
+               'city'    => SQL_ESCAPE($_POST['city']),
                'zip'     => bigintval($_POST['zip']),
                'country' => $countryData,
-               'refid'   => $_POST['refid'],
-               'pass'    => $_POST['pass1'],
+               'refid'   => SQL_ESCAPE($_POST['refid']),
+               'pass'    => SQL_ESCAPE($_POST['pass1']),
        );
 
        // Continue with birthday...
        switch (GET_LANGUAGE())
        {
        case "de":
-               $DATA['birthday'] = $_POST['day'].".".$_POST['month'].".".$_POST['year'];
+               $DATA['birthday'] = bigintval($_POST['day']).".".bigintval($_POST['month']).".".bigintval($_POST['year']);
                break;
 
        default:
-               $DATA['birthday'] = $_POST['month']."/".$_POST['day']."/".$_POST['year'];
+               $DATA['birthday'] = bigintval($_POST['month']."/".bigintval($_POST['day'])."/".bigintval($_POST['year']);
                break;
        }
 
index f6ef268..4fc5af8 100644 (file)
@@ -116,6 +116,9 @@ if ((!isset($_GET['mode'])) || ($_GET['mode'] == "choose")) {
        $points = explode(".", $points);
        $points = bigintval($points[0]);
 
+       // Remove the registration fee
+       $points = $points - $_CONFIG['points_register'];
+
        // Is this enougth for a payout?
        if ($points < $_CONFIG['wernis_min_payout']) {
                // No, then abort here