From 3c94eb3f608f9bf0dc8d19583abe273b3a67e5ff Mon Sep 17 00:00:00 2001
From: root
Date: Sun, 20 Apr 2014 18:55:24 +0200
Subject: Fixed XSS vulnerability.

---
 www/insert.php | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

(limited to 'www/insert.php')

diff --git a/www/insert.php b/www/insert.php
index 4a17042..f373205 100644
--- a/www/insert.php
+++ b/www/insert.php
@@ -5,12 +5,12 @@ Licensed under the GPL. Read LICENSE for more Information.*/
 
 function insert_db($db){
 
-	$safe1 = SQLite3::escapeString("$_POST[name]");
-	$safe2 = SQLite3::escapeString("$_POST[adresse]");
-	$safe3 = SQLite3::escapeString("$_POST[telefonnummer]");
-	$safe4 = SQLite3::escapeString("$_POST[handynummer]");
-	$safe5 = SQLite3::escapeString("$_POST[email]");
-	$safe6 = SQLite3::escapeString("$_POST[geburtstag]");
+	$safe1 = SQLite3::escapeString(htmlentities($_POST[name]));
+	$safe2 = SQLite3::escapeString(htmlentities($_POST[adresse]));
+	$safe3 = SQLite3::escapeString(htmlentities($_POST[telefonnummer]));
+	$safe4 = SQLite3::escapeString(htmlentities($_POST[handynummer]));
+	$safe5 = SQLite3::escapeString(htmlentities($_POST[email]));
+	$safe6 = SQLite3::escapeString(htmlentities($_POST[geburtstag]));
 	$query = "INSERT INTO jg (id, name, adresse, telefonnummer, handynummer, email, geburtstag) VALUES(NULL,'$safe1','$safe2','$safe3','$safe4','$safe5','$safe6');";
 	if($db->exec("
 		BEGIN TRANSACTION;
-- 
cgit v1.2.3