From a6e70256ea825cd8fba78d0feea372069a2586ba Mon Sep 17 00:00:00 2001 From: hifihedgehog <16614343+hifihedgehog@users.noreply.github.com> Date: Fri, 26 Jul 2019 09:33:31 -0400 Subject: [PATCH] Added escaping of special characters --- .../ChangePasswordCyberPanel.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/plugins/change-password-cyberpanel/ChangePasswordCyberPanel.php b/plugins/change-password-cyberpanel/ChangePasswordCyberPanel.php index 0474807df..ff13fade3 100644 --- a/plugins/change-password-cyberpanel/ChangePasswordCyberPanel.php +++ b/plugins/change-password-cyberpanel/ChangePasswordCyberPanel.php @@ -99,16 +99,16 @@ class ChangePasswordCyberPanel implements \RainLoop\Providers\ChangePassword\Cha try { - $sEmail = $oAccount->Email(); - $sEmailUser = \MailSo\Base\Utils::GetAccountNameFromEmail($sEmail); - $sEmailDomain = \MailSo\Base\Utils::GetDomainFromEmail($sEmail); + $sEmail = mysqli_real_escape_string($db, $oAccount->Email()); + $sEmailUser = mysqli_real_escape_string($db, \MailSo\Base\Utils::GetAccountNameFromEmail($sEmail)); + $sEmailDomain = mysqli_real_escape_string($db, \MailSo\Base\Utils::GetDomainFromEmail($sEmail)); $password_check_query = "SELECT * FROM e_users WHERE emailOwner_id = '$sEmailDomain' AND email = '$sEmail'"; $result = mysqli_query($db, $password_check_query); $password_check = mysqli_fetch_assoc($result); if (password_verify($sPrevPassword, substr($password_check['password'], 7))) { - $hashed_password = '{CRYPT}'.password_hash($sNewPassword, PASSWORD_BCRYPT); + $hashed_password = mysqli_real_escape_string($db, '{CRYPT}'.password_hash($sNewPassword, PASSWORD_BCRYPT)) $password_update_query = "UPDATE e_users SET password = '$hashed_password' WHERE emailOwner_id = '$sEmailDomain' AND email = '$sEmail'"; mysqli_query($db, $password_update_query); $bResult = true;