Changeset 704 for trunk/phpbms/modules/base/tabledefs_custom.php

Timestamp:

01/01/10 23:10:02 (2 years ago)

Author:

brieb

Message:

• Fixed several SQL injection vulnerabilities
• Fixed several XSS vulnerabilities due to PHP_SELF and REQUREST_URI
• Fixed severa path disclosure errors

Files:

• trunk/phpbms/modules/base/tabledefs_custom.php (modified) (1 diff)

trunk/phpbms/modules/base/tabledefs_custom.php

@@ -75 +75 @@
             </form>
         <?php } else { ?>
-            <form action="<?php echo str_replace("&", "&amp;", $_SERVER["REQUEST_URI"]) ?>" method="post" name="record" id="record">
+            <form action="<?php echo htmlentities($_SERVER["REQUEST_URI"]) ?>" method="post" name="record" id="record">
 
                 <p id="topSaveP"><button type="button" class="Buttons saveButtons" accesskey="s">save</button></p>