WordPress.org

Ready to get started?Download WordPress

Forums

ProPlayer
SQL inyection (3 posts)

  1. Covi
    Member
    Posted 3 years ago #

    I'm looking for include a token (nonce) in this file for prevent SQL Injection; any know this?

    http://st4ck-3rr0r.blogspot.com/2010/12/wp-proplayer-plugin-blind-sql-inyection.html

  2. ca0s
    Member
    Posted 3 years ago #

    I reported it to its author but no response was received.
    You can fix it by editing playlist-controller.php at line 164, replacing:

    $xml = $playlistController->getPlaylist($_GET["pp_playlist_id"]);

    with

    $xml = $playlistController->getPlaylist(mysql_real_escape_string($_GET["pp_playlist_id"]));

    Hope it helps you.

  3. Covi
    Member
    Posted 2 years ago #

    If what you get is a number, is not this better?:
    $xml = $playlistController->getPlaylist(abs((int) $_GET["pp_playlist_id"]));

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags