Added escaping of special characters

This commit is contained in:
hifihedgehog 2019-07-26 09:33:31 -04:00 committed by GitHub
parent 4b00ef72d4
commit a6e70256ea
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -99,16 +99,16 @@ class ChangePasswordCyberPanel implements \RainLoop\Providers\ChangePassword\Cha
try try
{ {
$sEmail = $oAccount->Email(); $sEmail = mysqli_real_escape_string($db, $oAccount->Email());
$sEmailUser = \MailSo\Base\Utils::GetAccountNameFromEmail($sEmail); $sEmailUser = mysqli_real_escape_string($db, \MailSo\Base\Utils::GetAccountNameFromEmail($sEmail));
$sEmailDomain = \MailSo\Base\Utils::GetDomainFromEmail($sEmail); $sEmailDomain = mysqli_real_escape_string($db, \MailSo\Base\Utils::GetDomainFromEmail($sEmail));
$password_check_query = "SELECT * FROM e_users WHERE emailOwner_id = '$sEmailDomain' AND email = '$sEmail'"; $password_check_query = "SELECT * FROM e_users WHERE emailOwner_id = '$sEmailDomain' AND email = '$sEmail'";
$result = mysqli_query($db, $password_check_query); $result = mysqli_query($db, $password_check_query);
$password_check = mysqli_fetch_assoc($result); $password_check = mysqli_fetch_assoc($result);
if (password_verify($sPrevPassword, substr($password_check['password'], 7))) { if (password_verify($sPrevPassword, substr($password_check['password'], 7))) {
$hashed_password = '{CRYPT}'.password_hash($sNewPassword, PASSWORD_BCRYPT); $hashed_password = mysqli_real_escape_string($db, '{CRYPT}'.password_hash($sNewPassword, PASSWORD_BCRYPT))
$password_update_query = "UPDATE e_users SET password = '$hashed_password' WHERE emailOwner_id = '$sEmailDomain' AND email = '$sEmail'"; $password_update_query = "UPDATE e_users SET password = '$hashed_password' WHERE emailOwner_id = '$sEmailDomain' AND email = '$sEmail'";
mysqli_query($db, $password_update_query); mysqli_query($db, $password_update_query);
$bResult = true; $bResult = true;