From 35a1e4c80c870b6f956903d61b1999ecf67d6d51 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michael=20T=C3=A4nzer?= Date: Sat, 24 Aug 2013 15:30:48 +0200 Subject: bug 1137: mysql_real_escape() fields in user_agreements although they usually are not user provided, just to be sure MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michael Tänzer --- includes/notary.inc.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/includes/notary.inc.php b/includes/notary.inc.php index b8cdb1b..2b7ccb6 100644 --- a/includes/notary.inc.php +++ b/includes/notary.inc.php @@ -635,7 +635,7 @@ function write_user_agreement($memid, $document, $method, $comment, $active=1, $secmemid=0){ // write a new record to the table user_agreement $query="insert into `user_agreements` set `memid`=".intval($memid).", `secmemid`=".intval($secmemid). - ",`document`='".$document."',`date`=NOW(), `active`=".intval($active).",`method`='".$method."',`comment`='".$comment."'" ; + ",`document`='".mysql_real_escape_string($document)."',`date`=NOW(), `active`=".intval($active).",`method`='".mysql_real_escape_string($method)."',`comment`='".mysql_real_escape_string($comment)."'" ; $res = mysql_query($query); } -- cgit v1.2.1 From 69c7c9d069da887f238f51cd44ad1e07960f044e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michael=20T=C3=A4nzer?= Date: Sat, 24 Aug 2013 15:41:19 +0200 Subject: bug 1137: setting the "certify" check box should depend on the method selected not on whether one is TTP Assurer MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michael Tänzer --- www/wot.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/www/wot.php b/www/wot.php index daba46a..4574221 100644 --- a/www/wot.php +++ b/www/wot.php @@ -126,7 +126,7 @@ function send_reminder() if($oldid == 12) $id = $oldid; - + if($oldid == 4) { if ($_POST['ttp']!='') { @@ -278,7 +278,7 @@ $iecho= "c"; } //met assuree in person, not appliciable fot TTP / TTP Topup assurances - if((!array_key_exists('certify',$_POST) || $_POST['certify'] != 1 ) && $_SESSION['profile']['ttpadmin'] != 1) + if((!array_key_exists('certify',$_POST) || $_POST['certify'] != 1 ) && $_REQUEST['method'] != "Trusted 3rd Parties") { show_page("VerifyData","",_("You failed to check all boxes to validate your adherence to the rules and policies of CAcert")); exit; -- cgit v1.2.1 From ff8e88c54bcbfad0084834f82b798b8a3f35817d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michael=20T=C3=A4nzer?= Date: Sat, 24 Aug 2013 15:59:31 +0200 Subject: bug 1137: get rid of the board flag, which has already been removed in the release branch but somehow this change got lost in this branch (during merge conflict resolution) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michael Tänzer --- www/wot.php | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/www/wot.php b/www/wot.php index 4574221..9b6bd27 100644 --- a/www/wot.php +++ b/www/wot.php @@ -373,15 +373,8 @@ $iecho= "c"; if (check_date_format(trim($_REQUEST['date']),2010)) { write_user_agreement($_SESSION['profile']['id'], "CCA", "Assurance", "Assurer", 1, $_SESSION['_config']['notarise']['id']); } - if($_SESSION['profile']['board'] == 1 && intval($_POST['expire']) > 0) - { - $query .= ",\n`method`='Temporary Increase'"; - $query .= ",\n`expire`=DATE_ADD(NOW(), INTERVAL '".intval($_POST['expire'])."' DAY)"; - $query .= ",\n`sponsor`='".intval($_POST['sponsor'])."'"; - } else if($_SESSION['profile']['board'] == 1) { - $query .= ",\n`method`='".mysql_escape_string(stripslashes($_POST['method']))."'"; - } else if($_SESSION['profile']['ttpadmin'] == 1 && ($_POST['method'] == 'Trusted 3rd Parties' || $_POST['method'] == 'Trusted Third Parties')) { - $query .= ",\n`method`='Trusted Third Parties'"; + if($_SESSION['profile']['ttpadmin'] == 1 && ($_POST['method'] == 'Trusted 3rd Parties' || $_POST['method'] == 'Trusted Third Parties')) { + $query .= ",\n`method`='TTP-Assisted'"; } mysql_query($query); fix_assurer_flag($_SESSION['_config']['notarise']['id']); -- cgit v1.2.1