From 2352c320c2ed34ec7df1ad22f0c55a1b26489815 Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <noreply@fakecake.org>
Date: Mon, 20 Nov 2017 08:48:18 +0300
Subject: fix possible sql injection in public/forgotpass

---
 classes/handler/public.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'classes/handler/public.php')

diff --git a/classes/handler/public.php b/classes/handler/public.php
index d3c854ae4..ec41ddb87 100644
--- a/classes/handler/public.php
+++ b/classes/handler/public.php
@@ -688,7 +688,7 @@ class Handler_Public extends Handler {
 		@$method = $_POST['method'];
 
 		if ($hash) {
-			$login = $_REQUEST["login"];
+			$login = $this->dbh->escape_string($_REQUEST["login"]);
 
 			if ($login) {
 				$result = $this->dbh->query("SELECT id, resetpass_token FROM ttrss_users
@@ -1018,4 +1018,4 @@ class Handler_Public extends Handler {
 		}
 	}
 }
-?>
\ No newline at end of file
+?>
-- 
cgit v1.2.3