[geeklog-devel] SR4 Bug -- err so it would appear

Dirk Haun dirk at haun-online.de
Sun Feb 1 18:14:17 EST 2004


Blaine,

>Line 156 of usersettings.php
>    $preferences->set_var ('uid_value', $reqid);
>
>I believe this is a typo and not some secuity change.

No, this was a deliberate change. To quote myself (from geeklog-security):

>I've re-used the hidden "uid" field in the form, so there's no need to
>update the templates. The field wasn't used anyway as the value can't be
>trusted.

You could simply use $_USER['uid'], which has the added advantage that it
can't be manipulated.

bye, Dirk


-- 
http://www.haun-online.de/
http://www.macosx-faq.de/




More information about the geeklog-devel mailing list