hans/Nominatim
1
0
Fork 1
mirror of https://github.com/osm-search/Nominatim.git synced 2026-02-26 02:58:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

properly escape class parameter

Browse Source 
The class parameter was used as is, allowing for potential
SQL injection via the API.

Thanks to @bladeswords for finding this.
This commit is contained in:
Sarah Hoffmann
2020-05-02 23:01:27 +02:00
parent 627a487fcf
commit f549379e31
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
website/details.php
View File

@@ -37,7 +37,7 @@ if ($sOsmType && $iOsmId > 0) {
);
// osm_type and osm_id are not unique enough
if ($sClass) {
$sSQL .= " AND class='".$sClass."'";
$sSQL .= " AND class='".pg_escape_string($sClass)."'";
}
$sSQL .= ' ORDER BY class ASC';
$sPlaceId = chksql($oDB->getOne($sSQL));