From 1e3ea65767a2337610a35406460dbae1875945b9 Mon Sep 17 00:00:00 2001 From: Christian Schneider Date: Tue, 27 Mar 2007 12:18:01 +0000 Subject: Fix register global dependency and close sql injection --- db_table.class | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/db_table.class b/db_table.class index f99a733..0ab25da 100644 --- a/db_table.class +++ b/db_table.class @@ -278,15 +278,15 @@ function dump_html($tableargs="", $sqlwhere="", $c_fields="", $c_descriptions="" if ($default_order == "") $default_order = $fields[0]; - if ($GLOBALS[$table_sort] == "") - $GLOBALS[$table_sort] = $default_order; + if (!in_array(it::replace(' DESC$' => "", $_REQUEST[$table_sort]), $fields)) + $_REQUEST[$table_sort] = $default_order; $sql = "SELECT $c_fields FROM $this->name"; if ($sqlwhere) $sql .= " WHERE $sqlwhere"; - $sql .= " ORDER BY $GLOBALS[$table_sort]"; + $sql .= " ORDER BY $_REQUEST[$table_sort]"; if ($rows_limit != "") $sql .= " LIMIT $rows_limit"; @@ -302,7 +302,7 @@ function dump_html($tableargs="", $sqlwhere="", $c_fields="", $c_descriptions="" echo "\n"; - if (empty($thispage)) $thispage = $GLOBALS['PHP_SELF']; + if (empty($thispage)) $thispage = $_SERVER['PHP_SELF']; if (strstr($thispage, "?")) $thispage .= "&"; else $thispage .= "?"; /* Wenn man keine Titelzeile will, für c_descriptions einfach "," angeben */ @@ -311,12 +311,12 @@ function dump_html($tableargs="", $sqlwhere="", $c_fields="", $c_descriptions="" echo ''; for ($i=0; $i < $numfields; ++$i) { - if ($GLOBALS[$table_sort] == $fields[$i]) + if ($_REQUEST[$table_sort] == $fields[$i]) { - $newsort = "$GLOBALS[$table_sort]+DESC"; + $newsort = "$_REQUEST[$table_sort]+DESC"; $sortimg = ''; } - else if ($GLOBALS[$table_sort] == "$fields[$i] DESC") + else if ($_REQUEST[$table_sort] == "$fields[$i] DESC") { $newsort = $fields[$i]; $sortimg = ''; -- cgit v1.2.3