In last weeks i had almost daily some new entries in Fusion Error Log about undefined indexes at download details page.
There are 2 different reasons for this:
1.) url parameter for download_id was manipulated and requested as:
/downloads.php?download_id=7[0]
2.) someone tried sql injection:
/downloads.php?download_id=-5442%27%29%29%20OR%207857%3D7857%20AND%20%28%28%27qCfV%27%3D%27qCfV
In both cases the download details site was shown with missing download data. That means there is no method included to handle invalid parameter data for download_id.
I've included a quick fix in my template file by adding following code after
defined('IN_FUSION') || exit;
:
// Fix for invalid download_id in url params
if (IsSet($_GET['download_id']) && (!IsNum($_GET['download_id']) || $_GET['download_id'] < 1)) {
redirect(DOWNLOADS.'downloads.php');
exit;
}
Maybe this change is better to implement in core files by dev team?