Ignore:
Timestamp:
Apr 8, 2006 3:07:57 AM (18 years ago)
Author:
scdev
Message:

Changed all usage of addslashes to mysql_real_escape_quotes

File:
1 edited

Legend:

Unmodified
Added
Removed

  • branches/1.1dev/lib/OrderStatus.inc.php

    r81 r82  
    1818{
    1919    if ($status != '') {
    20         $whereclause = 'WHERE status = ' . addslashes($status);
     20        $whereclause = 'WHERE status = ' . mysql_real_escape_string($status);
    2121    } else {
    2222        $whereclause = '';
     
    5252    global $CFG, $_SESSION;
    5353
    54     $qid = dbQuery("SELECT status, email, first_name, last_name FROM order_tbl WHERE order_id = " . addslashes($order_id));
     54    $qid = dbQuery("SELECT status, email, first_name, last_name FROM order_tbl WHERE order_id = " . mysql_real_escape_string($order_id));
    5555    if (mysql_num_rows($qid) == 1) {
    5656    /* The order exists, we contine. */
     
    105105        /* Otherwise we assume everything was updated okay and that
    106106         * we have a valid new status and so proceed updating the orders table. */
    107         dbQuery("UPDATE order_tbl SET status = " . addslashes($db_update) . " WHERE order_id = " . addslashes($order_id));
     107        dbQuery("UPDATE order_tbl SET status = " . mysql_real_escape_string($db_update) . " WHERE order_id = " . mysql_real_escape_string($order_id));
    108108       
    109109        if ($email_user == true) {
     
    111111           
    112112            /* Query to load the details of this order. */
    113             $qid_order = dbQuery("SELECT * FROM order_tbl WHERE order_id = " . addslashes($order_id));
     113            $qid_order = dbQuery("SELECT * FROM order_tbl WHERE order_id = " . mysql_real_escape_string($order_id));
    114114            $order = mysql_fetch_assoc($qid_order);
    115115
     
    129129                LEFT JOIN product_tbl p
    130130                ON (oi.product_id = p.product_id)
    131                 WHERE oi.order_id = " . addslashes($order_id) . "
     131                WHERE oi.order_id = " . mysql_real_escape_string($order_id) . "
    132132            ");
    133133            $item_num = 0;
     
    214214
    215215    if ($polarity == '+' || $polarity == '-') {
    216         $qid = dbQuery("SELECT product_id, qty as order_qty FROM order_items_tbl WHERE order_id = " . addslashes($order_id));
     216        $qid = dbQuery("SELECT product_id, qty as order_qty FROM order_items_tbl WHERE order_id = " . mysql_real_escape_string($order_id));
    217217        /* First we make sure each item is in stock in adequate quantities. */
    218218        while ($order_item = mysql_fetch_assoc($qid)) {
Note: See TracChangeset for help on using the changeset viewer.