View Full Version : Possible SQL Injection and FIX for it

September 17, 2011, 04:42 AM
Hi all,
Recently in the result of a test there was revealed a SQL Injection in the script. This penetration is not critical but we are obliged to liquidate this blemish.
Please follow these instructions to fix this issue:

1. open the following file: /includes/controllers/dealers.inc.php
2. find the code (~line 107):

$dealers = $rlAccount -> searchDealers( $_POST['f'], $fields, $config['dealers_per_page'], $pInfo['current'] );
3. replace the code with new code:

$data = $rlValid -> xSql($_POST['f']);
$dealers = $rlAccount -> searchDealers( $data, $fields, $config['dealers_per_page'], $pInfo['current'] );
4. save changes.

Feel free to contact Flynax Support if you have any problems or questions regarding this issue.