Fixed SQL injection vulnerability with json_decode()

bgrawi · bgrawi · commit 93c47ad2f137 · 2014-10-27T23:11:34.000-04:00
diff --git a/api/schedule.php b/api/schedule.php
@@ -325,7 +325,7 @@ function renderSvg($svg, $id) {
 			$json = stripslashes($_POST['data']);
 		
 			// Make sure the object was successfully decoded
-			$json = json_decode($json, true);
+			$json = sanitize(json_decode($json, true));
 			if($json == null) {
 				die(json_encode(array("error" => "argument", "msg" => "The schedule could not be decoded", "arg" => "schedule")));
 			}

Original file line number	Diff line number	Diff line change
`@@ -325,7 +325,7 @@ function renderSvg($svg, $id) {`
`325`	`325`	`$json = stripslashes($_POST['data']);`
`326`	`326`
`327`	`327`	`// Make sure the object was successfully decoded`
`328`		`- $json = json_decode($json, true);`
	`328`	`+ $json = sanitize(json_decode($json, true));`
`329`	`329`	`if($json == null) {`
`330`	`330`	`die(json_encode(array("error" => "argument", "msg" => "The schedule could not be decoded", "arg" => "schedule")));`
`331`	`331`	`}`