From 084e1ae5603f4204945d25afcfabaeb1198df20f Mon Sep 17 00:00:00 2001
From: Hari Sankar R <hsr@theinglorio.us>
Date: Tue, 3 Apr 2012 22:15:59 +0530
Subject: [ticket/10561] All users can choose deactivated styles (fixed).

A form exploit enabled the users to select a deactivated
style. Fixed with extra check on submit, with a new function
styles_verify to check if the selected style is activated or not.

PHPBB3-10561
---
 phpBB/includes/functions.php | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

(limited to 'phpBB/includes/functions.php')

diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php
index 0320230a7d..530638c56b 100644
--- a/phpBB/includes/functions.php
+++ b/phpBB/includes/functions.php
@@ -1238,6 +1238,24 @@ function style_select($default = '', $all = false)
 	return $style_options;
 }
 
+/**
+* Check if style is activated
+*/
+function style_verify($style_id = 0)
+{
+	global $db;
+
+	$sql = 'SELECT style_id, style_active
+		FROM ' . STYLES_TABLE . "
+		WHERE style_id = $style_id";
+	$result = $db->sql_query($sql);
+
+	$style_verified = $db->sql_fetchrow($result);
+	$db->sql_freeresult($result);
+
+	return $style_verified['style_active'];
+}
+
 /**
 * Pick a timezone
 */
-- 
cgit v1.2.1