Changeset 3536:1e44804e7c85 for admin/users.php

Timestamp:

03/01/17 17:12:40 (9 years ago)

Author:

franck <carnet.franck.paul@…>

Branch:

2.11

Message:

Sanitize filters params, thanks 张恒 (Janes) for report

File:

• admin/users.php (modified) (3 diffs)

admin/users.php

@@ -60 +60 @@
 $q = !empty($_GET['q']) ? $_GET['q'] : '';
 $sortby = !empty($_GET['sortby']) ?     $_GET['sortby'] : 'user_id';
-$order = !empty($_GET['order']) ?       $_GET['order'] : 'asc';
+$order = !empty($_GET['order']) ? $_GET['order'] : 'asc';
 
 $params['limit'] = array((($page-1)*$nb_per_page),$nb_per_page);
@@ -72 +72 @@
 
 # - Sortby and order filter
-if ($sortby !== '' && in_array($sortby,$sortby_combo)) {
+if ($sortby !== '' && in_array($sortby,$sortby_combo,true)) {
      if (array_key_exists($sortby,$sortby_lex)) {
           $params['order'] = $core->con->lexFields($sortby_lex[$sortby]);
@@ -78 +78 @@
           $params['order'] = $sortby;
      }
-     if ($order !== '' && in_array($order,$order_combo)) {
+     if ($order !== '' && in_array($order,$order_combo,true)) {
           $params['order'] .= ' '.$order;
      } else {
           $order='asc';
      }
-
-     if ($sortby != 'user_id' || $order != 'asc') {
-          $show_filters = true;
-     }
 } else {
      $sortby = 'user_id';
      $order = 'asc';
+}
+if ($sortby != 'user_id' || $order != 'asc') {
+     $show_filters = true;
 }