s.probst/OpenXE
1
0
Fork 0
mirror of https://github.com/OpenXE-org/OpenXE.git synced 2025-01-12 06:41:14 +01:00
Code Issues Projects Releases Wiki Activity

Merge pull request #85 from RETROTEC-AG/feature/#12_Logfile-addLogFile-does-not-escape-the-given-parameters

Browse Source 
Logfile::addLogFile() does not escape the given parameters
This commit is contained in:
OpenXE-ERP 2023-07-19 18:11:20 +02:00 committed by GitHub
commit 322ca715eb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 10 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
www/pages/logfile.php
View File

@ -1,4 +1,4 @@
<?php <?php
/* /*
**** COPYRIGHT & LICENSE NOTICE *** DO NOT REMOVE **** **** COPYRIGHT & LICENSE NOTICE *** DO NOT REMOVE ****
* *
@ -10,8 +10,8 @@
* to obtain the text of the corresponding license version. * to obtain the text of the corresponding license version.
* *
**** END OF COPYRIGHT & LICENSE NOTICE *** DO NOT REMOVE **** **** END OF COPYRIGHT & LICENSE NOTICE *** DO NOT REMOVE ****
*/ */
?> ?>
<?php <?php
class Logfile { class Logfile {
/** @var Application $app */ /** @var Application $app */
@ -253,9 +253,13 @@ class Logfile {
} }
} }
} }
if(is_array($meldung)) {
$meldung = $this->app->DB->real_escape_string(print_r($meldung, true)); $module = $this->app->DB->real_escape_string(is_scalar($module) ? strval($module) : print_r($module, true));
} $action = $this->app->DB->real_escape_string(is_scalar($action) ? strval($action) : print_r($action, true));
$meldung = $this->app->DB->real_escape_string(is_scalar($meldung) ? strval($meldung) : print_r($meldung, true));
$dump = $this->app->DB->real_escape_string(is_scalar($dump) ? strval($dump) : print_r($dump, true));
$functionname = $this->app->DB->real_escape_string(is_scalar($functionname) ? strval($functionname) : print_r($functionname, true));
$this->app->DB->Insert( $this->app->DB->Insert(
sprintf( sprintf(
"INSERT INTO logfile (module,action,meldung,dump,datum,bearbeiter,funktionsname) "INSERT INTO logfile (module,action,meldung,dump,datum,bearbeiter,funktionsname)