RESIDENCE guild show #126
Labels
Comments
|
faz o PR pra nos lindeza |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
Priority
Critical
Area
System
What OS are you seeing the problem on?
Linux
Browser
Edge
What happened?
a função residence em show.php pode ser vulnerável a SQL Injection e também pode causar problemas se a variável $guild_residence estiver vazia ou contiver caracteres especiais.
https://github.com/opentibiabr/myaac/blob/main/system/pages/guilds/show.php#L114
correção.
// RESIDENCE
$guild_residence = $guild->getCustomField('residence');
// Preparar e executar a primeira consulta
$select_guildhouse = $db->prepare('SELECT
house_id,listid,listFROMhouse_listsWHEREhouse_id= :house_id');$select_guildhouse->execute(['house_id' => $guild_residence]);
$get_guildhouse = $select_guildhouse->fetch();
$count_guildhouse = $select_guildhouse->rowCount();
if ($count_guildhouse > 0) {
// Preparar e executar a segunda consulta
$get_house = $db->prepare('SELECT
id,owner,paid,name,town_idFROMhousesWHEREid= :id');$get_house->execute(['id' => $get_guildhouse['house_id']]);
$house = $get_house->fetch();
$house_name = $house['name'];
}
Code of Conduct
The text was updated successfully, but these errors were encountered: