neoinvoice
neoinvoice copied to clipboard
tlhunter
DEFUNCT: PHP/MySQL: Multi-Tenant Invoice Web App
Hello Thomas, There is a blind SQL injection flaw in the signup_check.php file, specifically with the "value" parameter. Here is a URL that will demonstrate the issue: http://localhost/signup_check.php?field=username&value='+OR+SLEEP(5)+OR+' See line...
Column sorting variables should use a switch statement to make sure they're valid. Just skimming, and e.g. in: controllers/invoice.php $data['invoices'] = $this->invoice_model->select_multiple($this->session->userdata('company_id'), $page, $this->pref_user['per_page'], TRUE, $sort_col); $sort_col appears to be...