Author Topic: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php  (Read 109697 times)

0 Members and 1 Guest are viewing this topic.

Offline amodpg

  • Pre-Newbie
  • Posts: 1
    • View Profile
Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
« Reply #30 on: June 26, 2006, 11:20:25 PM »
sir,
    i just downloaded new version but seems the text required to change in the first post of this thread is not yet implemented, i can find the
"$this->session_id = preg_replace('/[^a-z0-9]+/i', '', session_id());" in the session file included in the zip file i just downloaded.

one of my firends gallery hosted by me has 1000's of xxx comments for his personal photo graphs.

any suggestions to fix it.

regards,
amod

Offline V@no

  • If you don't tell me what to do, I won't tell you where you should go :)
  • Administrator
  • 4images Guru
  • *****
  • Posts: 17.849
  • mmm PHP...
    • View Profile
    • 4images MODs Demo
Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
« Reply #31 on: June 27, 2006, 12:19:01 AM »
i can find the
"$this->session_id = preg_replace('/[^a-z0-9]+/i', '', session_id());" in the session file included in the zip file i just downloaded.
Its because that is the line you supposed to replace it with, not to find it....

as of comments spam, we have two mods image validation for comments, consider to use one of them.
Your first three "must do" before you ask a question:
Please do not PM me asking for help unless you've been specifically asked to do so. Such PMs will be deleted without answer. (forum rule #6)
Extension for Firefox/Thunderbird: Master Password+    Back/Forward History Tweaks (restartless)    Cookies Manager+    Fit Images (restartless for Thunderbird)

Offline sajwal

  • Jr. Member
  • **
  • Posts: 61
    • View Profile
Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
« Reply #32 on: July 25, 2006, 11:26:21 PM »
I found that in ver 1.7.3
 the line $this->session_id = session_id();
 is not edited??? 8O

Should i make the changes in 1.7.3 also, as security reason?

Offline V@no

  • If you don't tell me what to do, I won't tell you where you should go :)
  • Administrator
  • 4images Guru
  • *****
  • Posts: 17.849
  • mmm PHP...
    • View Profile
    • 4images MODs Demo
Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
« Reply #33 on: July 26, 2006, 12:22:00 AM »
No, v1.7.3 has different approach.
Your first three "must do" before you ask a question:
Please do not PM me asking for help unless you've been specifically asked to do so. Such PMs will be deleted without answer. (forum rule #6)
Extension for Firefox/Thunderbird: Master Password+    Back/Forward History Tweaks (restartless)    Cookies Manager+    Fit Images (restartless for Thunderbird)

 

Post your comments here