Revision 0e6cf71b
Added by Renato Botelho over 11 years ago
| usr/local/www/system_usermanager_addprivs.php | ||
|---|---|---|
| 46 | 46 |
|
| 47 | 47 |
$pgtitle = array("System","User manager","Add privileges");
|
| 48 | 48 |
|
| 49 |
$userid = $_GET['userid']; |
|
| 50 |
if (isset($_POST['userid'])) |
|
| 49 |
if (is_numericint($_GET['userid'])) |
|
| 50 |
$userid = $_GET['userid']; |
|
| 51 |
if (isset($_POST['userid']) && is_numericint($_POST['userid'])) |
|
| 51 | 52 |
$userid = $_POST['userid']; |
| 52 | 53 |
|
| 53 | 54 |
$a_user = & $config['system']['user'][$userid]; |
| ... | ... | |
| 195 | 196 |
<input id="submitt" name="Submit" type="submit" class="formbtn" value="<?=gettext("Save");?>" />
|
| 196 | 197 |
<input id="cancelbutton" class="formbtn" type="button" value="<?=gettext("Cancel");?>" onclick="history.back()" />
|
| 197 | 198 |
<?php if (isset($userid)): ?> |
| 198 |
<input name="userid" type="hidden" value="<?=$userid;?>" />
|
|
| 199 |
<input name="userid" type="hidden" value="<?=htmlspecialchars($userid);?>" />
|
|
| 199 | 200 |
<?php endif; ?> |
| 200 | 201 |
</td> |
| 201 | 202 |
</tr> |
Also available in: Unified diff
Improve checks for params 'id', 'dup' and other similar ones to make sure they are numeric integer, also, pass them through htmlspecialchars() before print