From a2c2e0711e61b8ba5f3ee1fd4b3958d9014669a6 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Roland=20H=C3=A4der?= Date: Mon, 17 Mar 2008 12:26:18 +0000 Subject: [PATCH] Wernis extension more secured --- inc/extensions/ext-wernis.php | 2 +- inc/modules/guest/what-register.php | 18 +++++++++--------- inc/modules/member/what-wernis.php | 3 +++ 3 files changed, 13 insertions(+), 10 deletions(-) diff --git a/inc/extensions/ext-wernis.php b/inc/extensions/ext-wernis.php index 013714a569..13961cc2ed 100644 --- a/inc/extensions/ext-wernis.php +++ b/inc/extensions/ext-wernis.php @@ -60,7 +60,7 @@ wernis_amount double(22,5) NOT NULL default '0.00000', wernis_timestamp varchar(10) NOT NULL default '0', wernis_type ENUM('IN','OUT', 'FAILED') NOT NULL default 'FAILED', wernis_api_message TINYTEXT, -wernis_api_status varchar(255) NULL default NULL +wernis_api_status varchar(255) NULL default NULL, KEY(userid), PRIMARY KEY(id) ) TYPE=MyISAM"; diff --git a/inc/modules/guest/what-register.php b/inc/modules/guest/what-register.php index 03bd3a0e08..eaad356ca9 100644 --- a/inc/modules/guest/what-register.php +++ b/inc/modules/guest/what-register.php @@ -306,26 +306,26 @@ array( 'hash' => $hash, 'uid' => $userid, 'salut' => $sex, - 'surname' => $_POST['surname'], - 'family' => $_POST['family_name'], - 'email' => $_POST['addy'], - 'street' => $_POST['street_nr'], - 'city' => $_POST['city'], + 'surname' => SQL_ESCAPE($_POST['surname']), + 'family' => SQL_ESCAPE($_POST['family_name']), + 'email' => SQL_ESCAPE($_POST['addy']), + 'street' => SQL_ESCAPE($_POST['street_nr']), + 'city' => SQL_ESCAPE($_POST['city']), 'zip' => bigintval($_POST['zip']), 'country' => $countryData, - 'refid' => $_POST['refid'], - 'pass' => $_POST['pass1'], + 'refid' => SQL_ESCAPE($_POST['refid']), + 'pass' => SQL_ESCAPE($_POST['pass1']), ); // Continue with birthday... switch (GET_LANGUAGE()) { case "de": - $DATA['birthday'] = $_POST['day'].".".$_POST['month'].".".$_POST['year']; + $DATA['birthday'] = bigintval($_POST['day']).".".bigintval($_POST['month']).".".bigintval($_POST['year']); break; default: - $DATA['birthday'] = $_POST['month']."/".$_POST['day']."/".$_POST['year']; + $DATA['birthday'] = bigintval($_POST['month']."/".bigintval($_POST['day'])."/".bigintval($_POST['year']); break; } diff --git a/inc/modules/member/what-wernis.php b/inc/modules/member/what-wernis.php index f6ef2687f6..4fc5af8c21 100644 --- a/inc/modules/member/what-wernis.php +++ b/inc/modules/member/what-wernis.php @@ -116,6 +116,9 @@ if ((!isset($_GET['mode'])) || ($_GET['mode'] == "choose")) { $points = explode(".", $points); $points = bigintval($points[0]); + // Remove the registration fee + $points = $points - $_CONFIG['points_register']; + // Is this enougth for a payout? if ($points < $_CONFIG['wernis_min_payout']) { // No, then abort here -- 2.30.2