From 858a4d1b42be377218a9b3692c2401cb5bd6e76f Mon Sep 17 00:00:00 2001 From: Sebastian Mendel Date: Thu, 29 Mar 2007 06:02:22 +0000 Subject: [PATCH] make use of PMA_isValid() and initialize $sql_query --- libraries/common.inc.php | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libraries/common.inc.php b/libraries/common.inc.php index f546c6900..80d66350d 100644 --- a/libraries/common.inc.php +++ b/libraries/common.inc.php @@ -365,7 +365,7 @@ if (PMA_checkPageValidity($_REQUEST['back'], $goto_whitelist)) { * @todo variables should be handled by their respective owners (objects) * f.e. lang, server, convcharset, collation_connection in PMA_Config */ -if ((isset($_REQUEST['token']) && !is_string($_REQUEST['token'])) || empty($_REQUEST['token']) || $_SESSION[' PMA_token '] != $_REQUEST['token']) { +if (! PMA_isValid($_REQUEST['token']) || $_SESSION[' PMA_token '] != $_REQUEST['token']) { /** * List of parameters which are allowed from unsafe source */ @@ -403,7 +403,7 @@ if (isset($_REQUEST['convcharset'])) { * @global string $GLOBALS['db'] */ $GLOBALS['db'] = ''; -if (isset($_REQUEST['db']) && is_string($_REQUEST['db'])) { +if (PMA_isValid($_REQUEST['db'])) { // can we strip tags from this? // only \ and / is not allowed in db names for MySQL $GLOBALS['db'] = $_REQUEST['db']; @@ -415,7 +415,7 @@ if (isset($_REQUEST['db']) && is_string($_REQUEST['db'])) { * @global string $GLOBALS['table'] */ $GLOBALS['table'] = ''; -if (isset($_REQUEST['table']) && is_string($_REQUEST['table'])) { +if (PMA_isValid($_REQUEST['table'])) { // can we strip tags from this? // only \ and / is not allowed in table names for MySQL $GLOBALS['table'] = $_REQUEST['table']; @@ -426,7 +426,8 @@ if (isset($_REQUEST['table']) && is_string($_REQUEST['table'])) { * sql query to be executed * @global string $GLOBALS['sql_query'] */ -if (isset($_REQUEST['sql_query']) && is_string($_REQUEST['sql_query'])) { +$GLOBALS['sql_query'] = null; +if (PMA_isValid($_REQUEST['sql_query'])) { $GLOBALS['sql_query'] = $_REQUEST['sql_query']; }