Posted 3 years ago #
Just install your plugin found few errors and securyt hacks
1) function banner_update()
seams you forgot to set global $start_date, $end_date
2) banner_clicks.php
$query = "UPDATE ".$table_prefix."banner SET banner_clicks=banner_clicks+1 WHERE banner_id=".intval($banner_id);
damn, its a SQL Injection in clear view!
http://wordpress.org/extend/plugins/wp-banner/
[title moderated]
Posted 3 years ago #
Hi,
thank you for your advice.
I made a security update.
That's not an SQL injection. If he runs it through intval, then no injection is possible.
The most somebody can do is hit it repeatedly to up the click count. Should be fixed, of course, but still, it's not dangerous.
Posted 3 years ago #
Otto , time to say "Sorry i was wrong" =)
http://dev.wp-plugins.org/changeset/53044
Thanks you Alfred!
Posted 3 years ago #
I think Otto mistaken the code you posted as before the "fix" but actually that is the fix.
I was not wrong. The code you posted above has no injection in it. The intval prevents it. So... What in the heck are you talking about?
Edit: Ahh, you posted the fixed code, not the original code. Next time, be more clear.
Posted 3 years ago #
Yea I am right =p. We need post revision or even last edited time in bbpress
Posted 3 years ago #
For all people. I am soory , i am not really good in Englih.
i thouth i have talk clear, but not. =).
Excuse me please.
This topic has been closed to new replies.
