I'm looking for include a token (nonce) in this file for prevent SQL Injection; any know this?
http://st4ck-3rr0r.blogspot.com/2010/12/wp-proplayer-plugin-blind-sql-inyection.html
ProPlayer
SQL inyection (3 posts)
-
-
ca0s
Posted 1 year ago #I reported it to its author but no response was received.
You can fix it by editing playlist-controller.php at line 164, replacing:$xml = $playlistController->getPlaylist($_GET["pp_playlist_id"]);with
$xml = $playlistController->getPlaylist(mysql_real_escape_string($_GET["pp_playlist_id"]));Hope it helps you.
-
If what you get is a number, is not this better?:
$xml = $playlistController->getPlaylist(abs((int) $_GET["pp_playlist_id"]));
Topic Closed
This topic has been closed to new replies.
