From d665b237e46cd7facbd00f566c87cc046d980bf0 Mon Sep 17 00:00:00 2001
From: Robert Sesek <rsesek@bluestatic.org>
Date: Sun, 17 Jun 2007 20:27:30 +0000
Subject: [PATCH] r1559: Closing a SQL injection in register.php with the
 activationid

---
 docs/changes.txt | 1 +
 register.php     | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/docs/changes.txt b/docs/changes.txt
index d970658..c0a5c46 100644
--- a/docs/changes.txt
+++ b/docs/changes.txt
@@ -1,6 +1,7 @@
 1.2.0
 ===============================
 - Fixed: In userctrl_search.tpl, the floated elements need to be before unfloated ones otherwise Gecko engine offsets it by a line
+- Fixed: Closed a SQL injection vector in register.php
 
 1.2.0 Release Candidate 1
 ===============================
diff --git a/register.php b/register.php
index 04c785f..4d516b1 100755
--- a/register.php
+++ b/register.php
@@ -163,7 +163,7 @@ if (empty($_REQUEST['do']))
 if ($_REQUEST['do'] == 'activate')
 {
 	$bugsys->input_clean('userid', TYPE_UINT);
-	if ($useractivation = $db->query_first("SELECT * FROM " . TABLE_PREFIX . "useractivation WHERE userid = " . $bugsys->in['userid'] . " AND activator = '" . $bugsys->in['activator'] . "'"))
+	if ($useractivation = $db->query_first("SELECT * FROM " . TABLE_PREFIX . "useractivation WHERE userid = " . $bugsys->in['userid'] . " AND activator = '" . $bugsys->input_escape('activator') . "'"))
 	{
 		$user = $db->query_first("SELECT * FROM " . TABLE_PREFIX . "user WHERE userid = " . $bugsys->in['userid']);
 		$db->query("UPDATE " . TABLE_PREFIX . "user SET usergroupid = $useractivation[usergroupid] WHERE userid = " . $bugsys->in['userid']);
-- 
2.22.5