# HG changeset patch
# User Dan
# Date 1250869646 14400
# Node ID 3343a05e7e5b8c54c2291a92910f8175a8ac1a62
# Parent  742cb0f10766c069fe9c7b0f567eff3de2e610e2
SECURITY: Comments: fix poor sanitization of subject on initial submit

diff -r 742cb0f10766 -r 3343a05e7e5b includes/comment.php
--- a/includes/comment.php	Thu Aug 20 21:15:19 2009 -0400
+++ b/includes/comment.php	Fri Aug 21 11:47:26 2009 -0400
@@ -312,6 +312,7 @@
           $subj = htmlspecialchars($data['subj']);
           $text = RenderMan::preprocess_text($data['text'], true, false);
           $src = $text;
+          $sql_subj = $db->escape($subj);
           $sql_text = $db->escape($text);
           $text = RenderMan::render($text);
           $appr = ( getConfig('approve_comments', '0') == '1' ) ? COMMENT_UNAPPROVED : COMMENT_APPROVED;
@@ -325,7 +326,7 @@
           
           // Send it to the database
           $q = $db->sql_query('INSERT INTO '.table_prefix.'comments(page_id,namespace,name,subject,comment_data,approved, time, user_id, ip_address) VALUES' . "\n  " .
-                             "('$this->page_id', '$this->namespace', '$name', '$subj', '$sql_text', $appr, $time, {$session->user_id}, '$ip');");
+                             "('$this->page_id', '$this->namespace', '$name', '$sql_subj', '$sql_text', $appr, $time, {$session->user_id}, '$ip');");
           if(!$q)
             $db->die_json();