Replace abused mysql_escape_string with a regex check.

author: Andreas Jakum <aj-gh@users.noreply.github.com> 2020-12-26 23:06:50 +0100
committer: Andreas Jakum <aj-gh@users.noreply.github.com> 2020-12-26 23:06:50 +0100
commit: 75242961eedea7bf397c3736305ff1b4a01efd02 (patch)
tree: 4038984ef2f4c30d4952581a5928ecab088e7118 /index.php
parent: 1d5c8cb96ad9a1a9f61991a19b1362142b074430 (diff)
1 files changed, 3 insertions, 3 deletions
diff --git a/index.php b/index.php
index a95fd6f..72213b0 100644
--- a/index.php
+++ b/index.php
@@ -1,9 +1,9 @@
 <?php
 session_start();
 
-if(isset($_REQUEST['lat'])) $lat = mysql_escape_string($_REQUEST['lat']);
-if(isset($_REQUEST['lng'])) $lng = mysql_escape_string($_REQUEST['lng']);
-if(isset($_REQUEST['res'])) $res = $_REQUEST['res'];
+if(isset($_REQUEST['lat']) && preg_match('/^\-?[0-9\.]+$/', $_REQUEST['lat']) $lat = $_REQUEST['lat'];
+if(isset($_REQUEST['lng']) && preg_match('/^\-?[0-9\.]+$/', $_REQUEST['lng']) $lng = $_REQUEST['lng'];
+if(isset($_REQUEST['res']) && preg_match('/^[0-9]+$/', $_REQUEST['res'])) $res = $_REQUEST['res'];
 
 //default values
 if(empty($lat)) $lat=47.07102;
author	Andreas Jakum <aj-gh@users.noreply.github.com>	2020-12-26 23:06:50 +0100
committer	Andreas Jakum <aj-gh@users.noreply.github.com>	2020-12-26 23:06:50 +0100
commit	75242961eedea7bf397c3736305ff1b4a01efd02 (patch)
tree	4038984ef2f4c30d4952581a5928ecab088e7118 /index.php
parent	1d5c8cb96ad9a1a9f61991a19b1362142b074430 (diff)