[geeklog-devel] public_html/index.php
Joe Mucchiello
joe at throwingdice.com
Tue May 6 23:55:01 EDT 2008
How long has this been broken? It's in 1.4.1 and 1.5:
if (!empty($U['aids'])) {
$sql .= " AND s.uid NOT IN (" . str_replace( ' ', ",",
$U['aids'] ) . ") ";
}
if (!empty($U['tids'])) {
$sql .= " AND s.tid NOT IN ('" . str_replace( ' ', "','",
$U['tids'] ) . "') ";
}
$U has no global value that I'm aware up. It's even a
register_globals hole that could show hidden stories.
I assume $U should be $_USER.
----
Joe Mucchiello
Throwing Dice Games
http://www.throwingdice.com
More information about the geeklog-devel
mailing list