oqapi/webgui
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

took additional measures to prevent sql injection

Browse source
This commit is contained in:
JT Smith 2004-05-02 16:15:33 +00:00
parent 045997bc93
commit a293678acd
10 changed files with 29 additions and 32 deletions
Download patch file Download diff file Expand all files Collapse all files

14
lib/WebGUI/Session.pm
View file

@ -109,21 +109,15 @@ sub _setupSessionVars {
tie %vars, 'Tie::CPHash';
if ($_[0] ne "") {
%vars = WebGUI::SQL->quickHash("select * from userSession where sessionId='$_[0]'");
if ($vars{expires} < _time()) {
if ($vars{expires} < _time() || $vars{lastIP} ne $session{env}{REMOTE_ADDR}) {
%vars = ();
WebGUI::Session::end($_[0]);
}
if ($vars{sessionId} ne "") {
$session{scratch} = WebGUI::SQL->buildHashRef("select name,value from userSessionScratch
where sessionId=".quote($_[0]));
if (($session{setting}{proxiedClientAddress} eq "1") && ($ENV{HTTP_X_FORWARDED_FOR} ne "")) {
WebGUI::SQL->write("update userSession set lastPageView="._time().",
lastIP='$ENV{HTTP_X_FORWARDED_FOR}',
expires=".(_time()+$session{setting}{sessionTimeout})
." where sessionId='$_[0]'");
} else {
WebGUI::SQL->write("update userSession set lastPageView="._time().", lastIP='$ENV{REMOTE_ADDR}',
expires=".(_time()+$session{setting}{sessionTimeout})." where sessionId='$_[0]'");
}
WebGUI::SQL->write("update userSession set lastPageView="._time().", lastIP='$session{env}{REMOTE_ADDR}',
expires=".(_time()+$session{setting}{sessionTimeout})." where sessionId='$_[0]'");
} else {
start(1,$_[0]);
}