sqlinjection

Question

victorb opened this issue 9 years ago · 2 comments

Seems there are some possibilities for people to do injections.

$hash is coming directly from $_GET which is no good.

Answer 1 · 2015-10-21T21:08:41.000Z

The code exits if someone tries to input something that isn't a valid IPFS hash.

    if (preg_match('/^([A-z0-9])+$/', $_GET['hash']) ) {
        $hash = $_GET['hash'];
    } else {
        exit("wrong hash");
    }

I know it's maybe not the cleanest way to do this. I really need to add comments to the code.
HTML code is also properly escaped in the albums.

Thanks a lot for checking our code though 😄 it really helps us!

Answer 2 · 2015-10-22T09:30:07.000Z

Ah, my bad for missing that! Thanks for the quick reply though!