[ticket/10561] All users can choose deactivated styles (fixed).

A form exploit enabled the users to select a deactivated style. Fixed with extra check on submit, with a new function styles_verify to check if the selected style is activated or not. PHPBB3-10561
2025-08-06 08:47:45 +02:00 · 2012-04-03 22:15:59 +05:30
parent 3477b5e5a8
commit 084e1ae560
2 changed files with 20 additions and 1 deletions
--- a/phpBB/includes/functions.php
+++ b/phpBB/includes/functions.php
@@ -1238,6 +1238,24 @@ function style_select($default = '', $all = false)
 	return $style_options;
 }

+/**
+* Check if style is activated
+*/
+function style_verify($style_id = 0)
+{
+	global $db;
+
+	$sql = 'SELECT style_id, style_active
+		FROM ' . STYLES_TABLE . "
+		WHERE style_id = $style_id";
+	$result = $db->sql_query($sql);
+
+	$style_verified = $db->sql_fetchrow($result);
+	$db->sql_freeresult($result);
+
+	return $style_verified['style_active'];
+}
+
 /**
 * Pick a timezone
 */