From 65c63199e9a66953ac83535b3370ff4200a47e16 Mon Sep 17 00:00:00 2001
From: Henoch Einbier <axcessor@hotmail.com>
Date: Fri, 25 Oct 2019 23:41:09 +0300
Subject: [PATCH] Update doppelaccis.php -secured pdo queries with bindParam
-mysql_error -> $sql->errorInfo()
---
adminforce/content/usersystem/doppelaccis.php | 20 +++++++++++--------
1 file changed, 12 insertions(+), 8 deletions(-)
diff --git a/adminforce/content/usersystem/doppelaccis.php b/adminforce/content/usersystem/doppelaccis.php
index d7384f6..22ca20b 100644
--- a/adminforce/content/usersystem/doppelaccis.php
+++ b/adminforce/content/usersystem/doppelaccis.php
@@ -5,7 +5,7 @@
<td align="center"><b>IP-Adresse</b></td>
</tr>
<?php
-$sql = sql::$db->query("SELECT `login_ip`, COUNT(*) AS `anzahl` FROM `" . _VMS_ . "_kontodaten` GROUP BY `login_ip` HAVING COUNT(*) > 1") or die(mysql_error());
+$sql = sql::$db->query("SELECT `login_ip`, COUNT(*) AS `anzahl` FROM `" . _VMS_ . "_kontodaten` GROUP BY `login_ip` HAVING COUNT(*) > 1") or die($sql->errorInfo());
if ($sql->rowCount() == 0) {
echo '
<tr>
@@ -26,10 +26,12 @@ if ($sql->rowCount() == 0) {
</table>
<?php
if (isset($_GET['ip'])) {
- $ip = sql::$db->query("SELECT k.uid,u.nickname FROM
+ $ip = sql::$db->prepare("SELECT k.uid,u.nickname FROM
" . _VMS_ . "_kontodaten AS k
LEFT JOIN " . _VMS_ . "_userdaten AS u ON u.uid=k.uid
-WHERE k.login_ip='" . addslashes($_GET['ip']) . "'");
+WHERE k.login_ip=:ip");
+ $ip->bindParam(':ip', $_GET['ip'], PDO::PARAM_STR);
+ $ip->execute();
echo "<p>User mit der IP " . $_GET['ip'] . ":</p>";
while ($doppelt = $ip -> fetch() ) {
@@ -49,14 +51,14 @@ foot();
<td align="center"><b>md5Hash</b></td>
</tr>
<?php
-$sql2 = sql::$db->query("SELECT `passwort`, COUNT(*) AS `anzahl` FROM `" . _VMS_ . "_kontodaten` GROUP BY `passwort` HAVING COUNT(*) > 1") or die(mysql_error());
+$sql2 = sql::$db->query("SELECT `passwort`, COUNT(*) AS `anzahl` FROM `" . _VMS_ . "_kontodaten` GROUP BY `passwort` HAVING COUNT(*) > 1") or die($sql->errorInfo());
if ($sql2->rowCount() == 0) {
echo '
<tr>
- <td colspan="2" align="center"><font color="green">Keine Doppelten Passwörter im System</font></td>
+ <td colspan="2" align="center"><font color="green">Keine doppelten Passwörter im System</font></td>
</tr>';
} else {
- while ($fake2 = mysql_fetch_assoc($sql2)) {
+ while ($fake2 = $sql2->fetch(PDO::FETCH_ASSOC) ) {
echo '
<tr>
<td>' . $fake2['anzahl'] . '</td>
@@ -74,10 +76,12 @@ if (isset($_GET['md5'])) {
$md5 = db_query("SELECT k.uid,u.nickname FROM
`" . _VMS_ . "_kontodaten` AS k
LEFT JOIN `" . _VMS_ . "_userdaten` AS u ON u.uid=k.uid
-WHERE k.passwort='" . addslashes($_GET['md5']) . "'");
+WHERE k.passwort=:md5");
+ $md5->bindParam(':md5', $_GET['md5'], PDO::PARAM_STR);
+ $md5->execute();
echo "<p>User mit dem Passworthash " . $_GET['md5'] . ":</p>";
- while ($doppelt = mysql_fetch_assoc($md5)) {
+ while ($doppelt = $md5->fetch(PDO::FETCH_ASSOC) ) {
echo "<a href='?content=/usersystem/userbearbeiten&uid=" . $doppelt['uid'] . "'>" . $doppelt['nickname'] . "</a><br>";
}
}
--
GitLab