Bravo List

Bravo List (http://www.bvlist.com/index.php)
-   Torrent Trader (http://www.bvlist.com/forumdisplay.php?f=29)
-   -   MailBox SQL injection updates (http://www.bvlist.com/showthread.php?t=12177)

BamBam0077 10th November 2019 08:00
MailBox SQL injection updates
 
PHP Code:
if (isset($_GET['inbox']))
{
$pagename T_("INBOX");
$tablefmt " ,Sender,Subject,Date";
$where "`receiver` = $CURUSER[id] AND `location` IN ('in','both')";
$type "Mail";
}
elseif (isset($_GET['outbox']))
{
$pagename "Outbox";
$tablefmt " ,Sent_to,Subject,Date";
$where "`sender` = $CURUSER[id] AND `location` IN ('out','both')";
$type "Mail";
}
elseif (isset($_GET['draft']))
{
$pagename "Draft";
$tablefmt " ,Sent_to,Subject,Date";
$where "`sender` = $CURUSER[id] AND `location` = 'draft'";
$type "Mail";
}
elseif (isset($_GET['templates']))
{
$pagename "Templates";
$tablefmt " ,Subject,Date";
$where "`sender` = $CURUSER[id] AND `location` = 'template'";
$type "Mail";
}
else
{
$pagename "Mail Overview";
$type "Overview";

Need to sqlesc($CURUSER[$id]) to secure I am just venting :mad:


All times are GMT +2. The time now is 12:45.

Powered by vBulletin® Version 3.8.11 Beta 3
Copyright ©2000 - 2024, vBulletin Solutions Inc.