Context Navigation

← Previous Change
Next Change →

admin.php

Timestamp:

Apr 8, 2006 8:35:17 AM (18 years ago)

Author:

scdev

Message:

changed addslashes to mysql_real_escape_string

File:

: 1 edited

branches/1.1dev/bin/module_maker/skel/admin.php (modified) (6 diffs)

Legend:

: Unmodified
: Added
: Removed

branches/1.1dev/bin/module_maker/skel/admin.php

-                      r89
+                      r90
         if (getFormdata('repeat', false)) {
             // Display edit function with next available ID.
             $qid = dbQuery("SELECT %PRIMARY_KEY% FROM %DB_TBL% WHERE %PRIMARY_KEY% > '" . addslashes(getFormData('%PRIMARY_KEY%')) . "' ORDER BY %PRIMARY_KEY% ASC LIMIT 1");
+            $qid = dbQuery("SELECT %PRIMARY_KEY% FROM %DB_TBL% WHERE %PRIMARY_KEY% > '" . mysql_real_escape_string(getFormData('%PRIMARY_KEY%')) . "' ORDER BY %PRIMARY_KEY% ASC LIMIT 1");
             if (list($next_id) = mysql_fetch_row($qid)) {
                 dieURL($_SERVER['PHP_SELF'] . '?op=edit&%PRIMARY_KEY%=' . $next_id);
 …
             SELECT *
             FROM %DB_TBL%
             WHERE %PRIMARY_KEY% = '" . addslashes($id) . "'
+            WHERE %PRIMARY_KEY% = '" . mysql_real_escape_string($id) . "'
         ");
         if (!$frm = mysql_fetch_assoc($qid)) {
 …
             SELECT <##>
             FROM %DB_TBL%
             WHERE %PRIMARY_KEY% = '" . addslashes($id) . "'
+            WHERE %PRIMARY_KEY% = '" . mysql_real_escape_string($id) . "'
         ");
         if (! list($name) = mysql_fetch_row($qid)) {
 …
         // Delete the record.
         dbQuery("DELETE FROM %DB_TBL% WHERE %PRIMARY_KEY% = '" . addslashes($id) . "'");
+        dbQuery("DELETE FROM %DB_TBL% WHERE %PRIMARY_KEY% = '" . mysql_real_escape_string($id) . "'");
         raiseMsg(sprintf(_("The %ITEM_TITLE% <strong>%s</strong> has been deleted."), $name), MSG_SUCCESS, __FILE__, __LINE__);
 …
     if (getFormData('filter_<##>', false)) {
         // Limit by filter.
         $where_clause .= (empty($where_clause) ? 'WHERE' : 'AND') . " <##> = '" . addslashes(getFormData('filter_<##>')) . "'";
+        $where_clause .= (empty($where_clause) ? 'WHERE' : 'AND') . " <##> = '" . mysql_real_escape_string(getFormData('filter_<##>')) . "'";
+    }
 …
         dbQuery("
             UPDATE %DB_TBL% SET
                 rank = '" . addslashes($new_rank) . "'
             WHERE %PRIMARY_KEY% = '" . addslashes($id) . "'
+                rank = '" . mysql_real_escape_string($new_rank) . "'
+            WHERE %PRIMARY_KEY% = '" . mysql_real_escape_string($id) . "'
         ");
+    }

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 90 for branches/1.1dev/bin/module_maker/skel/admin.php

Legend:

branches/1.1dev/bin/module_maker/skel/admin.php

Download in other formats: