Changeset 82 for branches/1.1dev/lib/AuthSQL.inc.php
- Timestamp:
- Apr 8, 2006 3:07:57 AM (18 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/1.1dev/lib/AuthSQL.inc.php
r81 r82 185 185 SELECT *, " . $this->_params['user_id_column'] . " AS user_id 186 186 FROM " . $this->_params['user_tbl'] . " 187 WHERE BINARY username = '" . addslashes($username) . "'188 AND BINARY userpass = '" . addslashes($this->encryptPassword($password)) . "'187 WHERE BINARY username = '" . mysql_real_escape_string($username) . "' 188 AND BINARY userpass = '" . mysql_real_escape_string($this->encryptPassword($password)) . "' 189 189 "); 190 190 … … 331 331 $qid = dbQuery(" 332 332 SELECT 1 FROM " . $this->_params['user_tbl'] . " 333 WHERE " . $this->_params['user_id_column'] . " = '" . addslashes($user_id) . "'333 WHERE " . $this->_params['user_id_column'] . " = '" . mysql_real_escape_string($user_id) . "' 334 334 AND DATE_ADD(last_login_datetime, INTERVAL '" . $this->_params['login_timeout'] . "' SECOND) > NOW() 335 335 AND DATE_ADD(last_access_datetime, INTERVAL '" . $this->_params['idle_timeout'] . "' SECOND) > NOW() … … 444 444 { 445 445 if ($this->getFeature('blocking')) { 446 if (strlen( addslashes($reason)) > 255) {446 if (strlen(mysql_real_escape_string($reason)) > 255) { 447 447 // blocked_reason field is varchar(255). 448 448 logMsg(sprintf('Blocked reason provided is greater than 255 characters: %s', $reason), LOG_WARNING, __FILE__, __LINE__); … … 454 454 UPDATE " . $this->_params['user_tbl'] . " SET 455 455 blocked = 'true', 456 blocked_reason = '" . addslashes($reason) . "'457 WHERE " . $this->_params['user_id_column'] . " = '" . addslashes($user_id) . "'456 blocked_reason = '" . mysql_real_escape_string($reason) . "' 457 WHERE " . $this->_params['user_id_column'] . " = '" . mysql_real_escape_string($user_id) . "' 458 458 "); 459 459 } … … 472 472 blocked = '', 473 473 blocked_reason = '' 474 WHERE " . $this->_params['user_id_column'] . " = '" . addslashes($user_id) . "'474 WHERE " . $this->_params['user_id_column'] . " = '" . mysql_real_escape_string($user_id) . "' 475 475 "); 476 476 } … … 486 486 function usernameExists($username) 487 487 { 488 $qid = dbQuery("SELECT 1 FROM " . $this->_params['user_tbl'] . " WHERE username = '" . addslashes($username) . "'");488 $qid = dbQuery("SELECT 1 FROM " . $this->_params['user_tbl'] . " WHERE username = '" . mysql_real_escape_string($username) . "'"); 489 489 return (mysql_num_rows($qid) > 0); 490 490 } … … 499 499 function getUsername($user_id) 500 500 { 501 $qid = dbQuery("SELECT " . $this->_params['username_column'] . " FROM " . $this->_params['user_tbl'] . " WHERE " . $this->_params['user_id_column'] . " = '" . addslashes($user_id) . "'");501 $qid = dbQuery("SELECT " . $this->_params['username_column'] . " FROM " . $this->_params['user_tbl'] . " WHERE " . $this->_params['user_id_column'] . " = '" . mysql_real_escape_string($user_id) . "'"); 502 502 if (list($username) = mysql_fetch_row($qid)) { 503 503 return $username; … … 577 577 dbQuery(" 578 578 UPDATE " . $this->_params['user_tbl'] . " 579 SET userpass = '" . addslashes($this->encryptPassword($password)) . "'580 WHERE " . $this->_params['user_id_column'] . " = '" . addslashes($user_id) . "'579 SET userpass = '" . mysql_real_escape_string($this->encryptPassword($password)) . "' 580 WHERE " . $this->_params['user_id_column'] . " = '" . mysql_real_escape_string($user_id) . "' 581 581 "); 582 582 } … … 600 600 $qid = dbQuery(" 601 601 SELECT * FROM " . $this->_params['user_tbl'] . " 602 WHERE " . $this->_params['user_id_column'] . " = '" . addslashes($user_id) . "'602 WHERE " . $this->_params['user_id_column'] . " = '" . mysql_real_escape_string($user_id) . "' 603 603 "); 604 604 $user_data = mysql_fetch_assoc($qid); … … 610 610 dbQuery(" 611 611 UPDATE " . $this->_params['user_tbl'] . " 612 SET userpass = '" . addslashes($this->encryptPassword($password)) . "'613 WHERE " . $this->_params['user_id_column'] . " = '" . addslashes($user_id) . "'612 SET userpass = '" . mysql_real_escape_string($this->encryptPassword($password)) . "' 613 WHERE " . $this->_params['user_id_column'] . " = '" . mysql_real_escape_string($user_id) . "' 614 614 "); 615 615
Note: See TracChangeset
for help on using the changeset viewer.