misc rpc security bugfixes

author: Andrew Dolgov <[email protected]> 2005-11-19 18:52:40 +0100
committer: Andrew Dolgov <[email protected]> 2005-11-19 18:52:40 +0100
commit: f72dbbdefc1a16e35786765d310c6326d8f495c1 (patch)
tree: 19c82acd30938d65b48ab53e89961d87014bd97a /backend.php
parent: a5873b2eaf8290db01499a09a2ad7991ee182245 (diff)
1 files changed, 4 insertions, 3 deletions
diff --git a/backend.php b/backend.php
index 5a65421cc..afa04fe16 100644
--- a/backend.php
+++ b/backend.php
@@ -921,7 +921,7 @@
 				title = '$feed_title', feed_url = '$feed_link',
 				update_interval = '$upd_intl',
 				purge_interval = '$purge_intl' 
-				WHERE id = '$feed_id'");			
+				WHERE id = '$feed_id' AND owner_uid = " . $_SESSION["uid"]);			
 
 		}
 
@@ -932,7 +932,8 @@
 				$ids = split(",", $_GET["ids"]);
 
 				foreach ($ids as $id) {
-					db_query($link, "DELETE FROM ttrss_feeds WHERE id = '$id'");
+					db_query($link, "DELETE FROM ttrss_feeds 
+						WHERE id = '$id' AND owner_uid = " . $_SESSION["uid"]);
 
 					$icons_dir = ICONS_DIR;
 					
@@ -953,7 +954,7 @@
 					"INSERT INTO ttrss_feeds (owner_uid,feed_url,title) VALUES ('".$_SESSION["uid"]."', '$feed_link', '')");
 
 				$result = db_query($link,
-					"SELECT id FROM ttrss_feeds WHERE feed_url = '$feed_link'");
+					"SELECT id FROM ttrss_feeds WHERE feed_url = '$feed_link' AND owner_uid = " . $_SESSION["uid"]);
 
 				$feed_id = db_fetch_result($result, 0, "id");
author	Andrew Dolgov <[email protected]>	2005-11-19 18:52:40 +0100
committer	Andrew Dolgov <[email protected]>	2005-11-19 18:52:40 +0100
commit	f72dbbdefc1a16e35786765d310c6326d8f495c1 (patch)
tree	19c82acd30938d65b48ab53e89961d87014bd97a /backend.php
parent	a5873b2eaf8290db01499a09a2ad7991ee182245 (diff)