diff options
| author | Starla Insigna <hatkirby@fourisland.com> | 2009-10-02 19:04:20 -0400 |
|---|---|---|
| committer | Starla Insigna <hatkirby@fourisland.com> | 2009-10-02 19:04:20 -0400 |
| commit | 9dfba1e70866fb2bb551678f6e04b8ddfd5467e1 (patch) | |
| tree | 81f4731ae7b2fa902226f084480e26411ac3ad71 /admin/editPoll.php | |
| parent | 00586f1e8ada8f5baa6e3013525862dccac77b4a (diff) | |
| download | fourisland-9dfba1e70866fb2bb551678f6e04b8ddfd5467e1.tar.gz fourisland-9dfba1e70866fb2bb551678f6e04b8ddfd5467e1.tar.bz2 fourisland-9dfba1e70866fb2bb551678f6e04b8ddfd5467e1.zip | |
Fixed HTML Entites problem
When the poll escaping problem was fixed, a whole ton of other similar bugs were found which were also fixed here. Fixes #115
Diffstat (limited to 'admin/editPoll.php')
| -rw-r--r-- | admin/editPoll.php | 30 |
1 files changed, 15 insertions, 15 deletions
| diff --git a/admin/editPoll.php b/admin/editPoll.php index 3a154a3..425f33c 100644 --- a/admin/editPoll.php +++ b/admin/editPoll.php | |||
| @@ -81,21 +81,21 @@ if (isset($_GET['submit'])) | |||
| 81 | $getpoll2 = mysql_query($getpoll); | 81 | $getpoll2 = mysql_query($getpoll); |
| 82 | $getpoll3 = mysql_fetch_array($getpoll2); | 82 | $getpoll3 = mysql_fetch_array($getpoll2); |
| 83 | 83 | ||
| 84 | $template->add('QUESTIONVALUE', $_POST['question']); | 84 | $template->add('QUESTIONVALUE', htmlentities($_POST['question'])); |
| 85 | $template->add('OPTION1VALUE', $_POST['option1']); | 85 | $template->add('OPTION1VALUE', htmlentities($_POST['option1'])); |
| 86 | $template->add('OPTION2VALUE', $_POST['option2']); | 86 | $template->add('OPTION2VALUE', htmlentities($_POST['option2'])); |
| 87 | $template->add('OPTION3VALUE', $_POST['option3']); | 87 | $template->add('OPTION3VALUE', htmlentities($_POST['option3'])); |
| 88 | $template->add('OPTION4VALUE', $_POST['option4']); | 88 | $template->add('OPTION4VALUE', htmlentities($_POST['option4'])); |
| 89 | $template->add('TEXTVALUE', $_POST['text']); | 89 | $template->add('TEXTVALUE', $_POST['text']); |
| 90 | } else { | 90 | } else { |
| 91 | $inspoll = "UPDATE polloftheweek SET question = \"" . mysql_real_escape_string($_POST['question']) . "\", option1 = \"" . mysql_real_escape_string($_POST['option1']) . "\", option2 = \"" . mysql_real_escape_string($_POST['option2']) . "\", option3 = \"" . mysql_real_escape_string($_POST['option3']) . "\", option4 = \"" . mysql_real_escape_string($_POST['option4']) . "\", text = \"" . mysql_real_escape_string($_POST['text']) . "\" WHERE id = " . $_GET['id']; | 91 | $inspoll = "UPDATE polloftheweek SET question = \"" . mysql_real_escape_string($_POST['question']) . "\", option1 = \"" . mysql_real_escape_string($_POST['option1']) . "\", option2 = \"" . mysql_real_escape_string($_POST['option2']) . "\", option3 = \"" . mysql_real_escape_string($_POST['option3']) . "\", option4 = \"" . mysql_real_escape_string($_POST['option4']) . "\", text = \"" . mysql_real_escape_string($_POST['text']) . "\" WHERE id = " . $_GET['id']; |
| 92 | $inspoll2 = mysql_query($inspoll); | 92 | $inspoll2 = mysql_query($inspoll); |
| 93 | 93 | ||
| 94 | $template->add('QUESTIONVALUE', $_POST['question']); | 94 | $template->add('QUESTIONVALUE', htmlentities($_POST['question'])); |
| 95 | $template->add('OPTION1VALUE', $_POST['option1']); | 95 | $template->add('OPTION1VALUE', htmlentities($_POST['option1'])); |
| 96 | $template->add('OPTION2VALUE', $_POST['option2']); | 96 | $template->add('OPTION2VALUE', htmlentities($_POST['option2'])); |
| 97 | $template->add('OPTION3VALUE', $_POST['option3']); | 97 | $template->add('OPTION3VALUE', htmlentities($_POST['option3'])); |
| 98 | $template->add('OPTION4VALUE', $_POST['option4']); | 98 | $template->add('OPTION4VALUE', htmlentities($_POST['option4'])); |
| 99 | $template->add('TEXTVALUE', $_POST['text']); | 99 | $template->add('TEXTVALUE', $_POST['text']); |
| 100 | 100 | ||
| 101 | $template->adds_block('FLASH', array('TEXT' => 'Your poll has been sucessfully edited. <a href="/poll/' . $_GET['id'] . '.php">View poll</a>.')); | 101 | $template->adds_block('FLASH', array('TEXT' => 'Your poll has been sucessfully edited. <a href="/poll/' . $_GET['id'] . '.php">View poll</a>.')); |
| @@ -105,11 +105,11 @@ if (isset($_GET['submit'])) | |||
| 105 | $getpoll2 = mysql_query($getpoll); | 105 | $getpoll2 = mysql_query($getpoll); |
| 106 | $getpoll3 = mysql_fetch_array($getpoll2); | 106 | $getpoll3 = mysql_fetch_array($getpoll2); |
| 107 | 107 | ||
| 108 | $template->add('QUESTIONVALUE', $getpoll3['question']); | 108 | $template->add('QUESTIONVALUE', htmlentities($getpoll3['question'])); |
| 109 | $template->add('OPTION1VALUE', $getpoll3['option1']); | 109 | $template->add('OPTION1VALUE', htmlentities($getpoll3['option1'])); |
| 110 | $template->add('OPTION2VALUE', $getpoll3['option2']); | 110 | $template->add('OPTION2VALUE', htmlentities($getpoll3['option2'])); |
| 111 | $template->add('OPTION3VALUE', $getpoll3['option3']); | 111 | $template->add('OPTION3VALUE', htmlentities($getpoll3['option3'])); |
| 112 | $template->add('OPTION4VALUE', $getpoll3['option4']); | 112 | $template->add('OPTION4VALUE', htmlentities($getpoll3['option4'])); |
| 113 | $template->add('TEXTVALUE', $getpoll3['text']); | 113 | $template->add('TEXTVALUE', $getpoll3['text']); |
| 114 | } | 114 | } |
| 115 | 115 | ||