diff options
author | Phil Davis <phil.davis@inf.org> | 2016-04-19 17:40:13 +0545 |
---|---|---|
committer | Stephen Beaver <sbeaver@netgate.com> | 2016-04-19 08:08:49 -0400 |
commit | ab2f968477b268cffccef095c9f22a76aab09e4d (patch) | |
tree | b0f732c0485c8d284e76ba0dd84ccf713f02149e /src/etc/inc/captiveportal.inc | |
parent | a2c12f5da91eedf387ab0c7c2497775e668bd2a5 (diff) | |
download | pfsense-ab2f968477b268cffccef095c9f22a76aab09e4d.zip pfsense-ab2f968477b268cffccef095c9f22a76aab09e4d.tar.gz |
Escape username before use in CP SQL
A maybe "better" version to try.
(cherry picked from commit 0a02fc5eefb265e0684d4447bf0a7c2a9687a188)
Diffstat (limited to 'src/etc/inc/captiveportal.inc')
-rw-r--r-- | src/etc/inc/captiveportal.inc | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/etc/inc/captiveportal.inc b/src/etc/inc/captiveportal.inc index 0bb4a8d..9e3d6e2 100644 --- a/src/etc/inc/captiveportal.inc +++ b/src/etc/inc/captiveportal.inc @@ -2086,7 +2086,7 @@ function portal_allow($clientip, $clientmac, $username, $password = null, $attri /* read in client database */ $query = "WHERE ip = '{$clientip}'"; - $tmpusername = str_replace("'", "''", strtolower($username)); + $tmpusername = SQLite3::escapeString(strtolower($username)); if (isset($config['captiveportal'][$cpzone]['noconcurrentlogins'])) { $query .= " OR (username != 'unauthenticated' AND lower(username) = '{$tmpusername}')"; } |