function user_getfieldbyuid($uid, $field) { $field = core_query_sanitize($field); if ($uid && $field) { $db_query = "SELECT {$field} FROM " . _DB_PREF_ . "_tblUser WHERE flag_deleted='0' AND uid='{$uid}'"; $db_result = dba_query($db_query); if ($db_row = dba_fetch_array($db_result)) { $ret = $db_row[$field]; } } return $ret; }
} foreach ($_GET as $key => $val) { $_GET[$key] = core_sanitize_inputs($val); } // too many codes using $_REQUEST, until we revise them all we use this as a workaround empty($_REQUEST); $_REQUEST = array_merge($_GET, $_POST); // global defines define('_APP_', core_query_sanitize($_REQUEST['app'])); define('_INC_', core_query_sanitize($_REQUEST['inc'])); define('_OP_', core_query_sanitize($_REQUEST['op'])); define('_ROUTE_', core_query_sanitize($_REQUEST['route'])); define('_PAGE_', core_query_sanitize($_REQUEST['page'])); define('_NAV_', core_query_sanitize($_REQUEST['nav'])); define('_CAT_', core_query_sanitize($_REQUEST['cat'])); define('_PLUGIN_', core_query_sanitize($_REQUEST['plugin'])); // save last $_POST in $_SESSION if ($_POST['X-CSRF-Token']) { $_SESSION['tmp']['last_post'][md5(trim(_APP_ . _INC_ . _ROUTE_ . _INC_))] = $_POST; } // enable anti-CSRF for anything but webservices if (!(_APP_ == 'ws' || _APP_ == 'webservices' || $core_config['init']['ignore_csrf'])) { // print_r($_POST); print_r($_SESSION); if ($_POST) { if (!core_csrf_validate()) { logger_print('WARNING: possible CSRF attack. sid:' . $_SESSION['sid'] . ' ip:' . $_SERVER['REMOTE_ADDR'], 2, 'init'); auth_block(); } } $csrf = core_csrf_set(); define('_CSRF_TOKEN_', $csrf['value']);