diff options
| author | Starla Insigna <hatkirby@fourisland.com> | 2008-12-19 23:16:04 -0500 |
|---|---|---|
| committer | Starla Insigna <hatkirby@fourisland.com> | 2008-12-19 23:16:04 -0500 |
| commit | 49422ceb232a21683a3512eda1c3f360b65bffc3 (patch) | |
| tree | 21468bc013af5ba83c2d1ff0d41246f12aeab219 /includes/functions.php | |
| parent | 0cf887cd8679223a7a3ef12c697f6d4e1144b0e3 (diff) | |
| download | fourisland-49422ceb232a21683a3512eda1c3f360b65bffc3.tar.gz fourisland-49422ceb232a21683a3512eda1c3f360b65bffc3.tar.bz2 fourisland-49422ceb232a21683a3512eda1c3f360b65bffc3.zip | |
Replaced addslashes()
Many SQL queries were using the function addslashes() to escape their content. They have been replaced with the more secure mysql_real_escape_string() function.
Diffstat (limited to 'includes/functions.php')
| -rwxr-xr-x | includes/functions.php | 4 |
1 files changed, 2 insertions, 2 deletions
| diff --git a/includes/functions.php b/includes/functions.php index 881bfd1..7c06077 100755 --- a/includes/functions.php +++ b/includes/functions.php | |||
| @@ -115,7 +115,7 @@ function postBlogPost($title,$author,$tags,$content) | |||
| 115 | { | 115 | { |
| 116 | $slug = generateSlug($title,'updates'); | 116 | $slug = generateSlug($title,'updates'); |
| 117 | 117 | ||
| 118 | $inspost = "INSERT INTO updates (title,slug,author,text) VALUES (\"" . $title . "\",\"" . $slug . "\",\"" . $author . "\",\"" . addslashes($content) . "\")"; | 118 | $inspost = "INSERT INTO updates (title,slug,author,text) VALUES (\"" . $title . "\",\"" . $slug . "\",\"" . $author . "\",\"" . mysql_real_escape_string($content) . "\")"; |
| 119 | $inspost2 = mysql_query($inspost); | 119 | $inspost2 = mysql_query($inspost); |
| 120 | 120 | ||
| 121 | $id = mysql_insert_id(); | 121 | $id = mysql_insert_id(); |
| @@ -284,7 +284,7 @@ if (!function_exists('unique_id')) | |||
| 284 | 284 | ||
| 285 | function displayRelated($title, $avoid = 0) | 285 | function displayRelated($title, $avoid = 0) |
| 286 | { | 286 | { |
| 287 | $getrelated = "SELECT *, MATCH (title, text) AGAINST (\"" . addslashes($title) . "\") AS score FROM updates WHERE MATCH (title, text) AGAINST (\"" . addslashes($title) . "\") AND id <> " . $avoid . " LIMIT 0,5"; | 287 | $getrelated = "SELECT *, MATCH (title, text) AGAINST (\"" . mysql_real_escape_string($title) . "\") AS score FROM updates WHERE MATCH (title, text) AGAINST (\"" . mysql_real_escape_string($title) . "\") AND id <> " . $avoid . " LIMIT 0,5"; |
| 288 | $getrelated2 = mysql_query($getrelated); | 288 | $getrelated2 = mysql_query($getrelated); |
| 289 | $i=0; | 289 | $i=0; |
| 290 | while ($getrelated3[$i] = mysql_fetch_array($getrelated2)) | 290 | while ($getrelated3[$i] = mysql_fetch_array($getrelated2)) |