The diff for this is
Code:
-$_SESSION['comments'] = $_POST['comments'];
+$_SESSION['comments'] = zen_output_string_protected($_POST['comments']);
which works fine for 1.5.4, but 1.3.9, the existing code is
Code:
$_SESSION['comments'] = zen_db_prepare_input($_POST['comments']);
Should the zen_db_prepare_input be replaced by zen_output_string_protected, or should they be merged in some way such as zen_db_prepare_input(zen_output_string_protected($_POST['comments'])) or zen_output_string_protected(zen_db_prepare_input($_POST['comments']))?
I don't want to accidentally introduce an sql injection vulnerability here.
Bookmarks