Noticed from the sql errors displayed in issue #504 (url with the empty sessions parameter) that the /ws/highdata.php
'vid' and 'sessions' parameters are not handled safely.
This would appear to be an issue with the way sanitizer.php handles things, as that code /should/ be working - which means other things may very well have the same issue.
Edit(0): confirmed that at least newvis.php suffers from what appears at first glance to be the same issue.
Edit(1): confirmed upload.php's "id" parameter is injectable. the google_key param should also be vulnerable.
Noticed from the sql errors displayed in issue #504 (url with the empty sessions parameter) that the /ws/highdata.php 'vid' and 'sessions' parameters are not handled safely.
This would appear to be an issue with the way sanitizer.php handles things, as that code /should/ be working - which means other things may very well have the same issue.
Edit(0): confirmed that at least newvis.php suffers from what appears at first glance to be the same issue. Edit(1): confirmed upload.php's "id" parameter is injectable. the google_key param should also be vulnerable.
For motivation: