On Mon, Apr 25, 2011 at 11:23:01PM -0500, Dan McGee wrote:
Ensure we are not quoting these values in any of our SQL queries.
Thanks-to: elij <elij.mx@gmail.com> Signed-off-by: Dan McGee <dan@archlinux.org> ---
Smoke tested: * Submitted a package update and it worked * Updated a user's password from non-salted to salted variety * Numerous login/logout cycles
web/html/passreset.php | 4 ++-- web/html/pkgsubmit.php | 2 +- web/lib/acctfuncs.inc | 18 +++++++++--------- web/lib/aur.inc | 6 +++--- 4 files changed, 15 insertions(+), 15 deletions(-)
Mhh. Basically looks good to me :) Did you check if all affected variables are correctly coerced into integers? If there's any unquoted parameter that is escaped using mysql_real_escape_string() instead of intval() (or something similar), we might become vulnerable to SQL injections, again. We should have used integer conversions in the first place, of course, but this patch will probably turn any mysql_real_escape_string() misuse into an exploitable injection vulnerability.