[news] Fix SQL injection

author: Simon Rettberg 2014-06-11 16:12:54 +0200
committer: Simon Rettberg 2014-06-11 16:12:54 +0200
commit: 5b5332d38c8651cb1532d4142834adb816384526 (patch)
tree: 3d990840bcae055ea05465e02d6e2f5e93459fbc /modules/news.inc.php
parent: 1) Improve Taskmanager error handling 2) add uptime display to status page, f... (diff)
download: slx-admin-5b5332d38c8651cb1532d4142834adb816384526.tar.gz
slx-admin-5b5332d38c8651cb1532d4142834adb816384526.tar.xz
slx-admin-5b5332d38c8651cb1532d4142834adb816384526.zip
1 files changed, 4 insertions, 3 deletions
diff --git a/modules/news.inc.php b/modules/news.inc.php
index 2f9aa985..4ec6fddd 100644
--- a/modules/news.inc.php
+++ b/modules/news.inc.php
@@ -73,13 +73,14 @@ class Page_News extends Page
 	{
 		// check to see if we need to request a specific newsid
 		if ($this->newsId !== false) {
-			$whereClause = "WHERE newsid = $this->newsId ";
+			$row = Database::queryFirst("SELECT newsid, title, content, dateline FROM news WHERE newsid = :newsid LIMIT 1", array(
+				'newsid' => $this->newsId
+			));
 		} else {
-			$whereClause = "";
+			$row = Database::queryFirst("SELECT newsid, title, content, dateline FROM news ORDER BY dateline DESC LIMIT 1");
 		}
 		
 		// fetch the news to be shown
-		$row = Database::queryFirst("SELECT * FROM news $whereClause ORDER BY dateline DESC LIMIT 1");
 		if ($row !== false) {
 			$this->newsTitle = $row['title'];
 			$this->newsContent = $row['content'];
author	Simon Rettberg	2014-06-11 16:12:54 +0200
committer	Simon Rettberg	2014-06-11 16:12:54 +0200
commit	5b5332d38c8651cb1532d4142834adb816384526 (patch)
tree	3d990840bcae055ea05465e02d6e2f5e93459fbc /modules/news.inc.php
parent	1) Improve Taskmanager error handling 2) add uptime display to status page, f... (diff)
download	slx-admin-5b5332d38c8651cb1532d4142834adb816384526.tar.gz slx-admin-5b5332d38c8651cb1532d4142834adb816384526.tar.xz slx-admin-5b5332d38c8651cb1532d4142834adb816384526.zip