Ignore:
Timestamp:
Apr 8, 2006 3:07:57 AM (18 years ago)
Author:
scdev
Message:

Changed all usage of addslashes to mysql_real_escape_quotes

File:
1 edited

Legend:

Unmodified
Added
Removed

  • branches/1.1dev/lib/AuthSQL.inc.php

    r81 r82  
    185185            SELECT *, " . $this->_params['user_id_column'] . " AS user_id
    186186            FROM " . $this->_params['user_tbl'] . "
    187             WHERE BINARY username = '" . addslashes($username) . "'
    188             AND BINARY userpass = '" . addslashes($this->encryptPassword($password)) . "'
     187            WHERE BINARY username = '" . mysql_real_escape_string($username) . "'
     188            AND BINARY userpass = '" . mysql_real_escape_string($this->encryptPassword($password)) . "'
    189189        ");
    190190       
     
    331331            $qid = dbQuery("
    332332                SELECT 1 FROM " . $this->_params['user_tbl'] . "
    333                 WHERE " . $this->_params['user_id_column'] . " = '" . addslashes($user_id) . "'
     333                WHERE " . $this->_params['user_id_column'] . " = '" . mysql_real_escape_string($user_id) . "'
    334334                AND DATE_ADD(last_login_datetime, INTERVAL '" . $this->_params['login_timeout'] . "' SECOND) > NOW()
    335335                AND DATE_ADD(last_access_datetime, INTERVAL '" . $this->_params['idle_timeout'] . "' SECOND) > NOW()
     
    444444    {
    445445        if ($this->getFeature('blocking')) {
    446             if (strlen(addslashes($reason)) > 255) {
     446            if (strlen(mysql_real_escape_string($reason)) > 255) {
    447447                // blocked_reason field is varchar(255).
    448448                logMsg(sprintf('Blocked reason provided is greater than 255 characters: %s', $reason), LOG_WARNING, __FILE__, __LINE__);
     
    454454                UPDATE " . $this->_params['user_tbl'] . " SET
    455455                blocked = 'true',
    456                 blocked_reason = '" . addslashes($reason) . "'
    457                 WHERE " . $this->_params['user_id_column'] . " = '" . addslashes($user_id) . "'
     456                blocked_reason = '" . mysql_real_escape_string($reason) . "'
     457                WHERE " . $this->_params['user_id_column'] . " = '" . mysql_real_escape_string($user_id) . "'
    458458            ");
    459459        }
     
    472472                blocked = '',
    473473                blocked_reason = ''
    474                 WHERE " . $this->_params['user_id_column'] . " = '" . addslashes($user_id) . "'
     474                WHERE " . $this->_params['user_id_column'] . " = '" . mysql_real_escape_string($user_id) . "'
    475475            ");
    476476        }
     
    486486    function usernameExists($username)
    487487    {   
    488         $qid = dbQuery("SELECT 1 FROM " . $this->_params['user_tbl'] . " WHERE username = '" . addslashes($username) . "'");
     488        $qid = dbQuery("SELECT 1 FROM " . $this->_params['user_tbl'] . " WHERE username = '" . mysql_real_escape_string($username) . "'");
    489489        return (mysql_num_rows($qid) > 0);
    490490    }
     
    499499    function getUsername($user_id)
    500500    {   
    501         $qid = dbQuery("SELECT " . $this->_params['username_column'] . " FROM " . $this->_params['user_tbl'] . " WHERE " . $this->_params['user_id_column'] . " = '" . addslashes($user_id) . "'");
     501        $qid = dbQuery("SELECT " . $this->_params['username_column'] . " FROM " . $this->_params['user_tbl'] . " WHERE " . $this->_params['user_id_column'] . " = '" . mysql_real_escape_string($user_id) . "'");
    502502        if (list($username) = mysql_fetch_row($qid)) {
    503503            return $username;
     
    577577        dbQuery("
    578578            UPDATE " . $this->_params['user_tbl'] . "
    579             SET userpass = '" . addslashes($this->encryptPassword($password)) . "'
    580             WHERE " . $this->_params['user_id_column'] . " = '" . addslashes($user_id) . "'
     579            SET userpass = '" . mysql_real_escape_string($this->encryptPassword($password)) . "'
     580            WHERE " . $this->_params['user_id_column'] . " = '" . mysql_real_escape_string($user_id) . "'
    581581        ");
    582582    }
     
    600600        $qid = dbQuery("
    601601            SELECT * FROM " . $this->_params['user_tbl'] . "
    602             WHERE " . $this->_params['user_id_column'] . " = '" . addslashes($user_id) . "'
     602            WHERE " . $this->_params['user_id_column'] . " = '" . mysql_real_escape_string($user_id) . "'
    603603        ");
    604604        $user_data = mysql_fetch_assoc($qid);
     
    610610        dbQuery("
    611611            UPDATE " . $this->_params['user_tbl'] . "
    612             SET userpass = '" . addslashes($this->encryptPassword($password)) . "'
    613             WHERE " . $this->_params['user_id_column'] . " = '" . addslashes($user_id) . "'
     612            SET userpass = '" . mysql_real_escape_string($this->encryptPassword($password)) . "'
     613            WHERE " . $this->_params['user_id_column'] . " = '" . mysql_real_escape_string($user_id) . "'
    614614        ");
    615615
Note: See TracChangeset for help on using the changeset viewer.