From c54436b4325fb941efedf9a8c3d4d0aa6242ed05 Mon Sep 17 00:00:00 2001 From: Josh North Date: Thu, 5 Aug 2021 22:08:24 -0400 Subject: [PATCH] Remediate injection on internal auth login --- inc/header.inc.php | 2 +- login.php | 2 +- printvwf.php | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/inc/header.inc.php b/inc/header.inc.php index 98a702d..ee77971 100644 --- a/inc/header.inc.php +++ b/inc/header.inc.php @@ -119,7 +119,7 @@ - + diff --git a/login.php b/login.php index b0fb6ba..2a1ad21 100644 --- a/login.php +++ b/login.php @@ -99,7 +99,7 @@ $hasher = new PasswordHash(8, FALSE); // compare if posted if (!empty(filter_input(INPUT_POST, 'username', FILTER_SANITIZE_SPECIAL_CHARS))): $user = $Users->loginUser(filter_input(INPUT_POST, 'username', FILTER_SANITIZE_SPECIAL_CHARS)); - if ($user && $user[0]["users_password"] == $hasher->CheckPassword(filter_input(INPUT_POST, 'password', FILTER_SANITIZE_SPECIAL_CHARS), $user[0]["users_password"])): + if ($user && $user[0]["users_password"] == $hasher->CheckPassword(filter_input(INPUT_POST, 'password', FILTER_SANITIZE_FULL_SPECIAL_CHARS), $user[0]["users_password"])): session_regenerate_id(); $_SESSION['user_id'] = $user[0]["users_id"]; $_SESSION['loggedIn'] = TRUE; diff --git a/printvwf.php b/printvwf.php index abb1a91..777ad8d 100644 --- a/printvwf.php +++ b/printvwf.php @@ -120,7 +120,7 @@ - +