11
The patch to fix the specific SQL injection cited is pretty easy to make. Does someone have a copy of the "latest" MyAds module (whatever version that is)? If so I can tell you exactly what line number. Otherwise you can follow the instructions below.
Towards the bottom of the listing-p-f.php (or annonces-p-f.php depending on which version of MyAds you have) file you'll find the following code just before:
switch($op) {
You'll find:
foreach ($_POST as $k => $v) {
${$k} = $v;
}
$lid = isset( $_GET['lid'] ) ? $_GET['lid'] : '' ;
if(!isset($_POST['op']) && isset($_GET['op']) ) {
$op = $_GET['op'] ;
}
Just delete these lines or comment it out with // at the beginning of each line) and replace it with:
$lid = isset( $_GET['lid'] ) ? intval($_GET['lid']) : '' ;
$op = isset($_POST['op']) ? $_POST['op'] : '' ;
$op = isset($_GET['op']) ? $_GET['op'] : $op ;
$yname = isset($_POST['yname'] ? $myts->addSlashes($_POST['yname']) : '';
$ymail = isset($_POST['ymail'] ? $myts->addSlashes($_POST['ymail']) : '';
$fname = isset($_POST['fname'] ? $myts->addSlashes($_POST['fname']) : '';
$fmail = isset($_POST['fmail'] ? $myts->addSlashes($_POST['fmail']) : '';
Remember, place this BEFORE the switch($op) statement. By the way, the fix for the Job Listing module (jobs ver 1.9) is the same.
