Fight against $_POST

2025-12-06 01:28:19 +01:00 · 2020-11-30 14:47:07 +01:00
parent fa8b960520
commit 00ad6df395
51 changed files with 199 additions and 211 deletions
--- a/htdocs/admin/boxes.php
+++ b/htdocs/admin/boxes.php
@@ -54,19 +54,18 @@ if ($action == 'addconst')

 if ($action == 'add') {
 	$error = 0;
+	$boxids = GETPOST('boxid', 'array');
+
 	$db->begin();
-	if (isset($_POST['boxid']) && is_array($_POST['boxid']))
-	{
-		foreach ($_POST['boxid'] as $boxid)
-		{
+	if (is_array($boxids)) {
+		foreach ($boxids as $boxid) {
 			if (is_numeric($boxid['pos']) && $boxid['pos'] >= 0)	// 0=Home, 1=...
 			{
 				$pos = $boxid['pos'];

 				// Initialize distinct fk_user with all already existing values of fk_user (user that use a personalized view of boxes for page "pos")
 				$distinctfkuser = array();
-				if (!$error)
-				{
+				if (!$error) {
 					$sql = "SELECT fk_user";
 					$sql .= " FROM ".MAIN_DB_PREFIX."user_param";
 					$sql .= " WHERE param = 'MAIN_BOXES_".$db->escape($pos)."' AND value = '1'";
@@ -146,7 +145,7 @@ if ($action == 'add') {
 if ($action == 'delete')
 {
 	$sql = "SELECT box_id FROM ".MAIN_DB_PREFIX."boxes";
-	$sql .= " WHERE rowid=".$rowid;
+	$sql .= " WHERE rowid=".((int) $rowid);

 	$resql = $db->query($sql);
 	$obj = $db->fetch_object($resql);