From 377c24e13d403deedc399b427d3e776b2208b31a Mon Sep 17 00:00:00 2001
From: Philip Häusler <msquare@notrademark.de>
Date: Mon, 13 Jun 2011 19:04:16 +0200
Subject: secure page selection

---
 public/index.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'public/index.php')

diff --git a/public/index.php b/public/index.php
index e1a4496f..83443879 100644
--- a/public/index.php
+++ b/public/index.php
@@ -28,7 +28,7 @@ if (isset ($_REQUEST['auth']))
 
 // Gewünschte Seite/Funktion
 $p = isset ($user) ? "news" : "start";
-if (isset ($_REQUEST['p']))
+if (isset ($_REQUEST['p']) && preg_match("/^[a-z0-9_]*$/i", $_REQUEST['p']) && sql_num_query("SELECT * FROM `Privileges` WHERE `name`='" . sql_escape($_REQUEST['p']) . "' LIMIT 1") > 0)
 	$p = $_REQUEST['p'];
 
 $title = Get_Text($p);
-- 
cgit v1.2.3-54-g00ecf