Do not allow \ in fieldnames.

author: Scott Ullrich <sullrich@pfsense.org> 2008-12-12 18:20:42 +0000
committer: Scott Ullrich <sullrich@pfsense.org> 2008-12-12 18:20:42 +0000
commit: 01da85f5ff6b8b5bcabb64eb086b4e4658e74f20 (patch)
tree: d4ac0a69cb88c23933ab8b555b546b2ee3ce7387 /usr
parent: 5a2993ac6be600e4330b38c883aede9ccd7c5aaf (diff)
download: pfsense-01da85f5ff6b8b5bcabb64eb086b4e4658e74f20.zip
pfsense-01da85f5ff6b8b5bcabb64eb086b4e4658e74f20.tar.gz
1 files changed, 3 insertions, 2 deletions
diff --git a/usr/local/www/pkg_edit.php b/usr/local/www/pkg_edit.php
index 25f68b4..759a181 100755
--- a/usr/local/www/pkg_edit.php
+++ b/usr/local/www/pkg_edit.php
@@ -150,10 +150,11 @@ if ($_POST) {
 						} else {
 						  if($firstfield == $rowhelperfield['fieldname']) $rows++;
 						}
-						$comd = "\$value = \$_POST['" . $rowhelperfield['fieldname'] . $x . "'];";
+						$fieldname = str_replace("\\", "", $rowhelperfield['fieldname']);
+						$comd = "\$value = \$_POST['" . $fieldname . $x . "'];";
 						eval($comd);
 						if($value <> "") {
-							$comd = "\$pkgarr['row'][" . $x . "]['" . $rowhelperfield['fieldname'] . "'] = \"" . $value . "\";";
+							$comd = "\$pkgarr['row'][" . $x . "]['" . $fieldname . "'] = \"" . $value . "\";";
 							//echo($comd . "<br>");
 							eval($comd);
 						}
author	Scott Ullrich <sullrich@pfsense.org>	2008-12-12 18:20:42 +0000
committer	Scott Ullrich <sullrich@pfsense.org>	2008-12-12 18:20:42 +0000
commit	01da85f5ff6b8b5bcabb64eb086b4e4658e74f20 (patch)
tree	d4ac0a69cb88c23933ab8b555b546b2ee3ce7387 /usr
parent	5a2993ac6be600e4330b38c883aede9ccd7c5aaf (diff)
download	pfsense-01da85f5ff6b8b5bcabb64eb086b4e4658e74f20.zip pfsense-01da85f5ff6b8b5bcabb64eb086b4e4658e74f20.tar.gz