diff options
author | Andrew Dolgov <[email protected]> | 2006-05-22 06:13:44 +0100 |
---|---|---|
committer | Andrew Dolgov <[email protected]> | 2006-05-22 06:13:44 +0100 |
commit | 9cd30721df336c149601ee07210dc1a553ce586d (patch) | |
tree | 1eefde49ae679700fe200420873a0ca52c396538 /backend.php | |
parent | 4220b0bddbff8ee0ded072f75442a9e8d9a1313f (diff) |
security fixes in filter editor
Diffstat (limited to 'backend.php')
-rw-r--r-- | backend.php | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/backend.php b/backend.php index dd94a93b9..2ffbea3d1 100644 --- a/backend.php +++ b/backend.php @@ -2099,7 +2099,7 @@ $filter_id = db_escape_string($_GET["id"]); $result = db_query($link, - "SELECT * FROM ttrss_filters WHERE id = '$filter_id'"); + "SELECT * FROM ttrss_filters WHERE id = '$filter_id' AND owner_uid = " . $_SESSION["uid"]); $reg_exp = htmlspecialchars(db_unescape_string(db_fetch_result($result, 0, "reg_exp"))); $filter_type = db_fetch_result($result, 0, "filter_type"); @@ -2199,7 +2199,7 @@ feed_id = $feed_id, action_id = '$action_id', filter_type = '$filter_type' - WHERE id = '$filter_id'"); + WHERE id = '$filter_id' AND owner_uid = " . $_SESSION["uid"]); } if ($subop == "remove") { @@ -2209,7 +2209,7 @@ $ids = split(",", db_escape_string($_GET["ids"])); foreach ($ids as $id) { - db_query($link, "DELETE FROM ttrss_filters WHERE id = '$id'"); + db_query($link, "DELETE FROM ttrss_filters WHERE id = '$id' AND owner_uid = ". $_SESSION["uid"]); } } |