WordPress.org
Get WordPress

Plugin Directory

Changeset 1288172


Ignore:
Timestamp:
11/17/2015 06:56:23 PM (10 years ago)
Author:
gmichaelguy
Message:

4 security updates implemented. Testing now.

Location:
mtouch-quiz/trunk
Files:
6 edited

Legend:

Unmodified
Added
Removed

  • mtouch-quiz/trunk/mtouchquiz.php

    r960145 r1288172  
    104104';
    105105    if ($_POST['mtq_hidden'] == 'Y') {
    106         //process form
    107         update_option('mtouchquiz_leftdelimit', $_REQUEST['left_delimiter']);
    108         update_option('mtouchquiz_rightdelimit', $_REQUEST['right_delimiter']);
    109         if(!empty($_POST['showalerts'])) {
    110             update_option('mtouchquiz_showalerts', $_POST['showalerts']);
    111         } else
    112         {
    113             update_option('mtouchquiz_showalerts', 0);
     106        if (check_admin_referer('mtq_options_form')) {
     107            //process form
     108            update_option('mtouchquiz_leftdelimit', $_REQUEST['left_delimiter']);
     109            update_option('mtouchquiz_rightdelimit', $_REQUEST['right_delimiter']);
     110            if(!empty($_POST['showalerts'])) {
     111                update_option('mtouchquiz_showalerts', $_POST['showalerts']);
     112            } else
     113            {
     114                update_option('mtouchquiz_showalerts', 0);
     115            }
     116           
     117            if(!empty($_POST['show_support'])) {
     118                update_option('mtouchquiz_show_support', "false");
     119            } else
     120            {
     121                update_option('mtouchquiz_show_support', "true");
     122            }
     123            wpframe_message(__('Options updated', 'mtouchquiz'));   
    114124        }
    115        
    116         if(!empty($_POST['show_support'])) {
    117             update_option('mtouchquiz_show_support', "false");
    118         } else
    119         {
    120             update_option('mtouchquiz_show_support', "true");
    121         }
    122         wpframe_message(__('Options updated', 'mtouchquiz'));   
    123125    }
    124126?>
     
    163165    <input type="submit" class="button-primary" value="<?php _e('Save Changes', 'mtouchquiz') ?>" />
    164166  </p>
     167  <?php wp_nonce_field('mtq_options_form'); ?>
    165168</form>
    166169<br />

  • mtouch-quiz/trunk/question.php

    r960145 r1288172  
    66if($_REQUEST['action'] == 'edit') $action = 'edit';
    77
    8 if(isset($_REQUEST['submit'])) {
     8if(isset($_REQUEST['submit']) && check_admin_referer('mtq_question_form') ) {
    99    $correct_answers = $_REQUEST['correct_answer'];
    1010    $num_correct = count($correct_answers);

  • mtouch-quiz/trunk/question_form.php

    r350146 r1288172  
    200200      <?php _e("Go to Questions Page", 'mtouchquiz') ?>
    201201      </a> </div>
     202        <?php wp_nonce_field('mtq_question_form'); ?>
    202203  </form>
    203204</div>

  • mtouch-quiz/trunk/quiz.php

    r423456 r1288172  
    4747        ?>
    4848    <th scope="row" style="text-align: center;"><?php echo $quiz->ID ?></th>
    49       <td><?php echo stripslashes($quiz->name)?></td>
     49      <td><?php echo stripslashes(sanitize_text_field($quiz->name))?></td>
    5050      <td><?php echo $quiz->question_count ?></td>
    5151      <td><?php echo date(get_option('date_format') . ' ' . get_option('time_format'), strtotime($quiz->added_on)) ?></td>

  • mtouch-quiz/trunk/quiz_action.php

    r415566 r1288172  
    2525    if($_REQUEST['action'] == 'edit') { //Update goes here
    2626
    27         $wpdb->get_results($wpdb->prepare("UPDATE {$wpdb->prefix}mtouchquiz_quiz SET name=%s, description=%s,final_screen=%s,answer_mode=%s,single_page=%s, show_hints=%s, show_start=%s, show_final=%s, multiple_chances=%s, random_questions=%s, random_answers=%s, form_code=%s, time_limit=%s WHERE ID=%d", $_REQUEST['name'], $_REQUEST['description'], $_REQUEST['content'], $answer_mode, $single_page, $show_hints, $show_start, $show_final,$multiple_chances, $random_questions, $random_answers,$_REQUEST['gravity'],$_REQUEST['mtq_timer'],$_REQUEST['quiz']));
     27        $wpdb->get_results($wpdb->prepare("UPDATE {$wpdb->prefix}mtouchquiz_quiz SET name=%s, description=%s,final_screen=%s,answer_mode=%s,single_page=%s, show_hints=%s, show_start=%s, show_final=%s, multiple_chances=%s, random_questions=%s, random_answers=%s, form_code=%s, time_limit=%s WHERE ID=%d", sanitize_text_field($_REQUEST['name']), $_REQUEST['description'], $_REQUEST['content'], $answer_mode, $single_page, $show_hints, $show_start, $show_final,$multiple_chances, $random_questions, $random_answers,$_REQUEST['gravity'],$_REQUEST['mtq_timer'],$_REQUEST['quiz']));
    2828       
    2929        wp_redirect($wpframe_home . '/wp-admin/admin.php?page=mtouch-quiz/quiz.php&message=updated');

  • mtouch-quiz/trunk/quiz_form.php

    r960145 r1288172  
    88$dquiz = array();
    99if($action == 'edit') {
    10     $dquiz = $wpdb->get_row($wpdb->prepare("SELECT name,description,final_screen,answer_mode,single_page,show_hints,show_start, show_final,multiple_chances,random_questions,random_answers FROM {$wpdb->prefix}mtouchquiz_quiz WHERE ID=%d", $_REQUEST['quiz']));
     10    $clean_quiz = intval($_REQUEST['quiz']);
     11    $dquiz = $wpdb->get_row($wpdb->prepare("SELECT name,description,final_screen,answer_mode,single_page,show_hints,show_start, show_final,multiple_chances,random_questions,random_answers FROM {$wpdb->prefix}mtouchquiz_quiz WHERE ID=%d", $clean_quiz));
    1112    $final_screen = stripslashes($dquiz->final_screen);
    1213    $answer_display = stripslashes($dquiz->answer_mode);
     
    1819    $random_questions = stripslashes($dquiz->random_questions);
    1920    $random_answers = stripslashes($dquiz->random_answers);
    20     $dquizfm = $wpdb->get_row($wpdb->prepare("SELECT form_code FROM {$wpdb->prefix}mtouchquiz_quiz WHERE ID=%d", $_REQUEST['quiz']));
     21    $dquizfm = $wpdb->get_row($wpdb->prepare("SELECT form_code FROM {$wpdb->prefix}mtouchquiz_quiz WHERE ID=%d", $clean_quiz));
    2122    $form_code = stripslashes($dquizfm->form_code);
    22     $tquizfm = $wpdb->get_row($wpdb->prepare("SELECT time_limit FROM {$wpdb->prefix}mtouchquiz_quiz WHERE ID=%d", $_REQUEST['quiz']));
     23    $tquizfm = $wpdb->get_row($wpdb->prepare("SELECT time_limit FROM {$wpdb->prefix}mtouchquiz_quiz WHERE ID=%d", $clean_quiz));
    2324    $mtq_time = stripslashes($tquizfm->time_limit);
    2425} else {
     
    208209       
    209210            if ($action == 'edit') {
    210                 $all_ratings = $wpdb->get_results($wpdb->prepare("SELECT score_rating, min_points FROM {$wpdb->prefix}mtouchquiz_ratings WHERE quiz_id=%d ORDER BY min_points", $_REQUEST['quiz']));
     211                $all_ratings = $wpdb->get_results($wpdb->prepare("SELECT score_rating, min_points FROM {$wpdb->prefix}mtouchquiz_ratings WHERE quiz_id=%d ORDER BY min_points", intval($_REQUEST['quiz'])));
    211212            }
    212213            $default_ratings = array(0,40,60,80,100);
     
    373374        <?php wp_nonce_field('mtq_create_edit_quiz'); ?>
    374375        <input type="hidden" name="action" value="<?php echo $action; ?>" />
    375         <input type="hidden" name="quiz" value="<?php echo $_REQUEST['quiz']; ?>" />
     376        <input type="hidden" name="quiz" value="<?php echo intval($_REQUEST['quiz']); ?>" />
    376377        <input type="hidden" id="user-id" name="user_ID" value="<?php echo (int) $user_ID ?>" />
    377378        <span id="autosave"></span>
Note: See TracChangeset for help on using the changeset viewer.