Ignore:
Timestamp:
Apr 8, 2006 8:35:17 AM (18 years ago)
Author:
scdev
Message:

changed addslashes to mysql_real_escape_string

File:
1 edited

Legend:

Unmodified
Added
Removed

  • branches/1.1dev/bin/module_maker/sql.cli.php

    r89 r90  
    3939
    4040// Get DB table column info.
    41 $qid = dbQuery("DESCRIBE " . addslashes($db_tbl));
     41$qid = dbQuery("DESCRIBE " . mysql_real_escape_string($db_tbl));
    4242while ($row = mysql_fetch_row($qid)) {
    4343    $cols[] = $row;
     
    6868        } else if ('added_by_admin_id' == $field || 'modified_by_admin_id' == $field) {
    6969            // Toggle types.
    70             $c[$field] = "'\" . addslashes(\$_admin->getVal('user_id')) . \"'";
     70            $c[$field] = "'\" . mysql_real_escape_string(\$_admin->getVal('user_id')) . \"'";
    7171        } else if ('added_datetime' == $field || 'modified_datetime' == $field) {
    7272            // DB record insertion datetime.
     
    7474        } else {
    7575            // Default. Just insert data.
    76             $c[$field] = "'\" . addslashes(\$frm['$field']) . \"'";
     76            $c[$field] = "'\" . mysql_real_escape_string(\$frm['$field']) . \"'";
    7777        }
    7878    }
     
    127127        dbQuery("
    128128            UPDATE $db_tbl SET$key_eq_val
    129             WHERE $primary_key = '" . addslashes(\$frm['$primary_key']) . "'
     129            WHERE $primary_key = '" . mysql_real_escape_string(\$frm['$primary_key']) . "'
    130130        ");
    131131E_O_F;
     
    140140$delim = 'WHERE';
    141141if (!empty($primary_key)) {
    142     $where_clause = "            $delim $primary_key = '\" . addslashes(\$frm['$primary_key']) . \"'\n";
     142    $where_clause = "            $delim $primary_key = '\" . mysql_real_escape_string(\$frm['$primary_key']) . \"'\n";
    143143    $delim = 'AND';
    144144}
     
    147147        continue;
    148148    }
    149     $where_clause .= "            $delim $k = '\" . addslashes(\$frm['$k']) . \"'\n";
     149    $where_clause .= "            $delim $k = '\" . mysql_real_escape_string(\$frm['$k']) . \"'\n";
    150150    $delim = 'AND';
    151151}
     
    175175if (!isset($op) || 'search' == $op) {
    176176$search_skip_columns = array('added_datetime', 'added_by_admin_id', 'modified_datetime', 'modified_by_admin_id', 'publish', 'featured');
    177 $search_columns = $db_tbl . '.' . join(" LIKE '%\" . addslashes(\$qry_words[\$i]) . \"%'\n                    OR $db_tbl.", array_diff(array_keys($c), $search_skip_columns));
     177$search_columns = $db_tbl . '.' . join(" LIKE '%\" . mysql_real_escape_string(\$qry_words[\$i]) . \"%'\n                    OR $db_tbl.", array_diff(array_keys($c), $search_skip_columns));
    178178echo <<<E_O_F
    179179            \$where_clause .= (empty(\$where_clause) ? 'WHERE' : 'AND') . "
    180180                (
    181                     $search_columns LIKE '%" . addslashes(\$qry_words[\$i]) . "%'
     181                    $search_columns LIKE '%" . mysql_real_escape_string(\$qry_words[\$i]) . "%'
    182182                )
    183183            ";
Note: See TracChangeset for help on using the changeset viewer.