Disable-Users icon indicating copy to clipboard operation
Disable-Users copied to clipboard

Published 20 hours ago verified publisher icon jaredatch

Don't write unfiltered POST data to database

Open JustThomas opened this issue 9 years ago • 1 comments

Hi,

you have those lines in the function user_profile_field_save:

    if ( !isset( $_POST['ja_disable_user'] ) ) {
        $disabled = 0;
    } else {
        $disabled = $_POST['ja_disable_user'];
    }

    update_user_meta( $user_id, 'ja_disable_user', $disabled );

This writes the contents of $_POST['ja_disable_user'] directly to the database. You should avoid this and rather change the else block to

    } else {
        $disabled = 1;
    }

JustThomas avatar Mar 01 '16 01:03 JustThomas

Yep, you are definitely right. I'll try to push an update out for this when I get time. Thanks for reporting.

jaredatch avatar Mar 01 '16 02:03 jaredatch