bug 1138: Avoid double escaping.
authorMichael Tänzer <neo@nhng.de>
Wed, 30 Apr 2014 21:47:33 +0000 (23:47 +0200)
committerMichael Tänzer <neo@nhng.de>
Thu, 1 May 2014 00:11:07 +0000 (02:11 +0200)
These session variables should be local variables as they aren't needed
anywhere else

Signed-off-by: Michael Tänzer <neo@nhng.de>
includes/account.php

index b9ee7d1..9f5946f 100644 (file)
@@ -1325,8 +1325,8 @@ function buildSubjectFromSession() {
                }
 
                //!!!Should be rewritten
-               $_SESSION['_config']['user']['otphash'] = trim(mysql_real_escape_string(stripslashes(strip_tags($_REQUEST['otphash']))));
-               $_SESSION['_config']['user']['otppin'] = trim(mysql_real_escape_string(stripslashes(strip_tags($_REQUEST['otppin']))));
+               $_SESSION['_config']['user']['otphash'] = trim(stripslashes(strip_tags($_REQUEST['otphash'])));
+               $_SESSION['_config']['user']['otppin']  = trim(stripslashes(strip_tags($_REQUEST['otppin'])));
                if($_SESSION['_config']['user']['otphash'] != "" && $_SESSION['_config']['user']['otppin'] != "")
                {
                        $query = "update `users` set `otphash`='".mysql_real_escape_string($_SESSION['_config']['user']['otphash'])."',