diff options
| author | Starla Insigna <hatkirby@fourisland.com> | 2009-10-02 19:04:20 -0400 |
|---|---|---|
| committer | Starla Insigna <hatkirby@fourisland.com> | 2009-10-02 19:04:20 -0400 |
| commit | 9dfba1e70866fb2bb551678f6e04b8ddfd5467e1 (patch) | |
| tree | 81f4731ae7b2fa902226f084480e26411ac3ad71 /admin/newPoll.php | |
| parent | 00586f1e8ada8f5baa6e3013525862dccac77b4a (diff) | |
| download | fourisland-9dfba1e70866fb2bb551678f6e04b8ddfd5467e1.tar.gz fourisland-9dfba1e70866fb2bb551678f6e04b8ddfd5467e1.tar.bz2 fourisland-9dfba1e70866fb2bb551678f6e04b8ddfd5467e1.zip | |
Fixed HTML Entites problem
When the poll escaping problem was fixed, a whole ton of other similar bugs were found which were also fixed here. Fixes #115
Diffstat (limited to 'admin/newPoll.php')
| -rw-r--r-- | admin/newPoll.php | 19 |
1 files changed, 13 insertions, 6 deletions
| diff --git a/admin/newPoll.php b/admin/newPoll.php index c924cd9..d105f45 100644 --- a/admin/newPoll.php +++ b/admin/newPoll.php | |||
| @@ -77,6 +77,13 @@ if (isset($_GET['submit'])) | |||
| 77 | 77 | ||
| 78 | $template->add('TITLE', 'New Poll'); | 78 | $template->add('TITLE', 'New Poll'); |
| 79 | $template->add('ACTION', '/admin/newPoll.php?submit='); | 79 | $template->add('ACTION', '/admin/newPoll.php?submit='); |
| 80 | |||
| 81 | $template->add('QUESTIONVALUE', htmlentities($_POST['question'])); | ||
| 82 | $template->add('OPTION1VALUE', htmlentities($_POST['option1'])); | ||
| 83 | $template->add('OPTION2VALUE', htmlentities($_POST['option2'])); | ||
| 84 | $template->add('OPTION3VALUE', htmlentities($_POST['option3'])); | ||
| 85 | $template->add('OPTION4VALUE', htmlentities($_POST['option4'])); | ||
| 86 | $template->add('TEXTVALUE', htmlentities($_POST['text'])); | ||
| 80 | } else { | 87 | } else { |
| 81 | $inspoll = "INSERT INTO polloftheweek (question,option1,option2,option3,option4,text) VALUES (\"" . mysql_real_escape_string($_POST['question']) . "\",\"" . mysql_real_escape_string($_POST['option1']) . "\",\"" . mysql_real_escape_string($_POST['option2']) . "\",\"" . mysql_real_escape_string($_POST['option3']) . "\",\"" . mysql_real_escape_string($_POST['option4']) . "\",\"" . mysql_real_escape_string($_POST['text']) . "\")"; | 88 | $inspoll = "INSERT INTO polloftheweek (question,option1,option2,option3,option4,text) VALUES (\"" . mysql_real_escape_string($_POST['question']) . "\",\"" . mysql_real_escape_string($_POST['option1']) . "\",\"" . mysql_real_escape_string($_POST['option2']) . "\",\"" . mysql_real_escape_string($_POST['option3']) . "\",\"" . mysql_real_escape_string($_POST['option4']) . "\",\"" . mysql_real_escape_string($_POST['text']) . "\")"; |
| 82 | $inspoll2 = mysql_query($inspoll); | 89 | $inspoll2 = mysql_query($inspoll); |
| @@ -86,12 +93,12 @@ if (isset($_GET['submit'])) | |||
| 86 | $cleardid = "TRUNCATE TABLE didpollalready"; | 93 | $cleardid = "TRUNCATE TABLE didpollalready"; |
| 87 | $cleardid2 = mysql_query($cleardid); | 94 | $cleardid2 = mysql_query($cleardid); |
| 88 | 95 | ||
| 89 | $template->add('QUESTIONVALUE', $_POST['question']); | 96 | $template->add('QUESTIONVALUE', htmlentities($_POST['question'])); |
| 90 | $template->add('OPTION1VALUE', $_POST['option1']); | 97 | $template->add('OPTION1VALUE', htmlentities($_POST['option1'])); |
| 91 | $template->add('OPTION2VALUE', $_POST['option2']); | 98 | $template->add('OPTION2VALUE', htmlentities($_POST['option2'])); |
| 92 | $template->add('OPTION3VALUE', $_POST['option3']); | 99 | $template->add('OPTION3VALUE', htmlentities($_POST['option3'])); |
| 93 | $template->add('OPTION4VALUE', $_POST['option4']); | 100 | $template->add('OPTION4VALUE', htmlentities($_POST['option4'])); |
| 94 | $template->add('TEXTVALUE', $_POST['text']); | 101 | $template->add('TEXTVALUE', htmlentities($_POST['text'])); |
| 95 | 102 | ||
| 96 | $template->add('TITLE', 'Edit Poll'); | 103 | $template->add('TITLE', 'Edit Poll'); |
| 97 | $template->add('ACTION', '/admin/editPoll.php?id=' . $id . '&submit='); | 104 | $template->add('ACTION', '/admin/editPoll.php?id=' . $id . '&submit='); |