[geeklog-devel] SR4 Bug -- err so it would appear

[Dirk Haun]

Blaine,


>Line 156 of usersettings.php

>    $preferences->set_var ('uid_value', $reqid);

>

>I believe this is a typo and not some secuity change.


No, this was a deliberate change. To quote myself (from geeklog-security):


>I've re-used the hidden "uid" field in the form, so there's no need to

>update the templates. The field wasn't used anyway as the value can't be

>trusted.


You could simply use $_USER['uid'], which has the added advantage that it
can't be manipulated.

bye, Dirk


-- 
http://www.haun-online.de/
http://www.macosx-faq.de/