SQL injection
-
Hi,
I think I found SQL injection in custom-maintenance-mode via POST request to cmmemail argument in ajax_subscriber.php:
`
19 $wpuser_result = $wpdb->get_results(“SELECT * FROM “.$table_name.” WHERE cmm_email='”.$_GET[‘cmmemail’].”‘”);
20
21 foreach ( $wpuser_result as $userdetails ) {
22 $cmm_email = $userdetails->cmm_email;
23 }
24 if($cmm_email!=””)
25 {
26 echo $msg = “Aleardy”;
27 }
28 else
29 { $wpdb->insert( $table_name, array( ‘cmm_email’ => $_GET[‘cmmemail’], ‘cmm_date’ => date(‘Y:m:d H:i:s’)) );
30 echo $msg = “Success”;
31 }
‘
- The topic ‘SQL injection’ is closed to new replies.
