Do not allow \ in fieldnames.

author: Scott Ullrich <sullrich@pfsense.org> 2008-12-12 18:20:37 +0000
committer: Scott Ullrich <sullrich@pfsense.org> 2008-12-12 18:20:37 +0000
commit: 6e32d276d0e30f7c1443b2a86b18df79da91c3ac (patch)
tree: 5fbed8734cd93daca525c62e1067967343cbf1f2 /usr/local/www
parent: b790e7674def435666be17d44ede4230a36f0cea (diff)
download: pfsense-6e32d276d0e30f7c1443b2a86b18df79da91c3ac.zip
pfsense-6e32d276d0e30f7c1443b2a86b18df79da91c3ac.tar.gz
1 files changed, 3 insertions, 2 deletions
diff --git a/usr/local/www/pkg_edit.php b/usr/local/www/pkg_edit.php
index 05b61cb..dde4af9 100755
--- a/usr/local/www/pkg_edit.php
+++ b/usr/local/www/pkg_edit.php
@@ -159,10 +159,11 @@ if ($_POST) {
 						} else {
 						  if($firstfield == $rowhelperfield['fieldname']) $rows++;
 						}
-						$comd = "\$value = \$_POST['" . $rowhelperfield['fieldname'] . $x . "'];";
+						$fieldname = str_replace("\\", "", $rowhelperfield['fieldname']);
+						$fieldname = "\$value = \$_POST['" . $fieldname . $x . "'];";
 						eval($comd);
 						if($value <> "") {
-							$comd = "\$pkgarr['row'][" . $x . "]['" . $rowhelperfield['fieldname'] . "'] = \"" . $value . "\";";
+							$comd = "\$pkgarr['row'][" . $x . "]['" . $fieldname . "'] = \"" . $value . "\";";
 							//echo($comd . "<br>");
 							eval($comd);
 						}
author	Scott Ullrich <sullrich@pfsense.org>	2008-12-12 18:20:37 +0000
committer	Scott Ullrich <sullrich@pfsense.org>	2008-12-12 18:20:37 +0000
commit	6e32d276d0e30f7c1443b2a86b18df79da91c3ac (patch)
tree	5fbed8734cd93daca525c62e1067967343cbf1f2 /usr/local/www
parent	b790e7674def435666be17d44ede4230a36f0cea (diff)
download	pfsense-6e32d276d0e30f7c1443b2a86b18df79da91c3ac.zip pfsense-6e32d276d0e30f7c1443b2a86b18df79da91c3ac.tar.gz