From 70de7e5a1dd96c47c48eb45498004d219bec1283 Mon Sep 17 00:00:00 2001
From: Daniel Friesel <derf@finalrewind.org>
Date: Fri, 3 Jun 2011 11:34:54 +0200
Subject: guest_login: Cleanup, fix sql injection

---
 includes/pages/guest_faq.php   | 14 ++++++++---
 includes/pages/guest_login.php | 56 ++++++++++++++++++++++++++++++------------
 2 files changed, 50 insertions(+), 20 deletions(-)

diff --git a/includes/pages/guest_faq.php b/includes/pages/guest_faq.php
index c4bcd0bb..2799cbaf 100644
--- a/includes/pages/guest_faq.php
+++ b/includes/pages/guest_faq.php
@@ -5,11 +5,17 @@ function guest_faq() {
 	foreach ($faqs as $faq) {
 		$html .= "<dl>";
 		if ($_SESSION['Sprache'] == "DE") {
-			$html .= "<dt>" . $faq['Frage_de'] . "</dt>";
-			$html .= "<dd>" . $faq['Antwort_de'] . "</dd>";
+			$html .= sprintf(
+				'<dt>%s</dt> <dd>%s</dd>',
+				$faq['frage_de'],
+				$faq['antwort_de']
+			);
 		} else {
-			$html .= "<dt>" . $faq['Frage_en'] . "</dt>";
-			$html .= "<dd>" . $faq['Antwort_en'] . "</dd>";
+			$html .= sprintf(
+				'<dt>%s</dt> <dd>%s</dd>',
+				$faq['frage_en'],
+				$faq['antwort_en']
+			);
 		}
 		$html .= "</dl>";
 	}
diff --git a/includes/pages/guest_login.php b/includes/pages/guest_login.php
index bbf36b6d..db20a207 100644
--- a/includes/pages/guest_login.php
+++ b/includes/pages/guest_login.php
@@ -16,12 +16,25 @@ function guest_register() {
 		$Ergans = sql_select("SELECT UID FROM `User` WHERE `Nick`='" . sql_escape($_POST["Nick"]) . "'");
 
 		if (strlen($_POST["Nick"]) < 2)
-			$error = Get_Text("makeuser_error_nick1") . $_POST["Nick"] . Get_Text("makeuser_error_nick2");
-		elseif (count($Ergans) > 0) $error = Get_Text("makeuser_error_nick1") . $_POST["Nick"] . Get_Text("makeuser_error_nick3");
-		elseif (strlen($_POST["email"]) <= 6 && strstr($_POST["email"], "@") == FALSE && strstr($_POST["email"], ".") == false) $error = Get_Text("makeuser_error_mail");
-		elseif (!is_numeric($_POST["Alter"])) $error = Get_Text("makeuser_error_Alter");
-		elseif ($_POST["Passwort"] != $_POST["Passwort2"]) $error = Get_Text("makeuser_error_password1");
-		elseif (strlen($_POST["Passwort"]) < 6) $error = Get_Text("makeuser_error_password2");
+			$error = Get_Text("makeuser_error_nick1")
+				. $_POST["Nick"] . Get_Text("makeuser_error_nick2");
+
+		elseif (count($Ergans) > 0)
+			$error = Get_Text("makeuser_error_nick1")
+				. $_POST["Nick"] . Get_Text("makeuser_error_nick3");
+
+		elseif (strlen($_POST["email"]) <= 6 && strstr($_POST["email"], "@") == FALSE && strstr($_POST["email"], ".") == false)
+			$error = Get_Text("makeuser_error_mail");
+
+		elseif (!is_numeric($_POST["Alter"]))
+			$error = Get_Text("makeuser_error_Alter");
+
+		elseif ($_POST["Passwort"] != $_POST["Passwort2"])
+			$error = Get_Text("makeuser_error_password1");
+
+		elseif (strlen($_POST["Passwort"]) < 6)
+			$error = Get_Text("makeuser_error_password2");
+
 		else {
 			$_POST["Passwort"] = PassCrypt($_POST["Passwort"]);
 			unset ($_POST["Passwort2"]);
@@ -35,15 +48,26 @@ function guest_register() {
 			"`Size`, " . "`Passwort`, " .
 			"`Art` , " . "`kommentar`, " .
 			"`Hometown`," . "`CreateDate`, `Sprache` ) " .
-			"VALUES ( " .
-			"'" . $_POST["Nick"] . "', " . "'" . $_POST["Name"] . "', " .
-			"'" . $_POST["Vorname"] . "', " . "'" . $_POST["Alter"] . "', " .
-			"'" . $_POST["Telefon"] . "', " . "'" . $_POST["DECT"] . "', " .
-			"'" . $_POST["Handy"] . "', " . "'" . $_POST["email"] . "', " .
-			"'" . $_POST["ICQ"] . "', " . "'" . $_POST["jabber"] . "', " .
-			"'" . $_POST["Size"] . "', " . "'" . $_POST["Passwort"] . "', " .
-			"'" . $_POST["Art"] . "', " . "'" . $_POST["kommentar"] . "', " .
-			"'" . $_POST["Hometown"] . "'," . "NOW(), '" . $_SESSION['Sprache'] . "')");
+			"VALUES ( '"
+				. sql_escape($_POST["Nick"]) . "', " . "'"
+				. sql_escape($_POST["Name"]) . "', " . "'"
+				. sql_escape($_POST["Vorname"]) . "', " . "'"
+				. sql_escape($_POST["Alter"]) . "', " . "'"
+				. sql_escape($_POST["Telefon"]) . "', " . "'"
+				. sql_escape($_POST["DECT"]) . "', " . "'"
+				. sql_escape($_POST["Handy"]) . "', " . "'"
+				. sql_escape($_POST["email"]) . "', " . "'"
+				. sql_escape($_POST["ICQ"]) . "', " . "'"
+				. sql_escape($_POST["jabber"]) . "', " . "'"
+				. sql_escape($_POST["Size"]) . "', " . "'"
+				. sql_escape($_POST["Passwort"]) . "', " . "'"
+				. sql_escape($_POST["Art"]) . "', " . "'"
+				. sql_escape($_POST["kommentar"]) . "', " . "'"
+				. sql_escape($_POST["Hometown"]) . "',"
+				. "NOW(), '"
+				. sql_escape($_SESSION["Sprache"])
+				. "')"
+			);
 
 			if ($Erg != 1) {
 				$html .= Get_Text("makeuser_error_write1") . "<br />\n";
@@ -242,4 +266,4 @@ function guest_login_form() {
 		'send' => Get_Text("index_lang_send")
 	));
 }
-?>
\ No newline at end of file
+?>
-- 
cgit v1.2.3-54-g00ecf