summary refs log tree commit diff stats
path: root/includes
diff options
context:
space:
mode:
authorStarla Insigna <hatkirby@fourisland.com>2008-12-19 23:16:04 -0500
committerStarla Insigna <hatkirby@fourisland.com>2008-12-19 23:16:04 -0500
commit49422ceb232a21683a3512eda1c3f360b65bffc3 (patch)
tree21468bc013af5ba83c2d1ff0d41246f12aeab219 /includes
parent0cf887cd8679223a7a3ef12c697f6d4e1144b0e3 (diff)
downloadfourisland-49422ceb232a21683a3512eda1c3f360b65bffc3.tar.gz
fourisland-49422ceb232a21683a3512eda1c3f360b65bffc3.tar.bz2
fourisland-49422ceb232a21683a3512eda1c3f360b65bffc3.zip
Replaced addslashes()
Many SQL queries were using the function addslashes() to escape their content. They have been replaced with the more secure
mysql_real_escape_string() function.
Diffstat (limited to 'includes')
-rwxr-xr-xincludes/functions.php4
1 files changed, 2 insertions, 2 deletions
diff --git a/includes/functions.php b/includes/functions.php index 881bfd1..7c06077 100755 --- a/includes/functions.php +++ b/includes/functions.php
@@ -115,7 +115,7 @@ function postBlogPost($title,$author,$tags,$content)
115{ 115{
116 $slug = generateSlug($title,'updates'); 116 $slug = generateSlug($title,'updates');
117 117
118 $inspost = "INSERT INTO updates (title,slug,author,text) VALUES (\"" . $title . "\",\"" . $slug . "\",\"" . $author . "\",\"" . addslashes($content) . "\")"; 118 $inspost = "INSERT INTO updates (title,slug,author,text) VALUES (\"" . $title . "\",\"" . $slug . "\",\"" . $author . "\",\"" . mysql_real_escape_string($content) . "\")";
119 $inspost2 = mysql_query($inspost); 119 $inspost2 = mysql_query($inspost);
120 120
121 $id = mysql_insert_id(); 121 $id = mysql_insert_id();
@@ -284,7 +284,7 @@ if (!function_exists('unique_id'))
284 284
285function displayRelated($title, $avoid = 0) 285function displayRelated($title, $avoid = 0)
286{ 286{
287 $getrelated = "SELECT *, MATCH (title, text) AGAINST (\"" . addslashes($title) . "\") AS score FROM updates WHERE MATCH (title, text) AGAINST (\"" . addslashes($title) . "\") AND id <> " . $avoid . " LIMIT 0,5"; 287 $getrelated = "SELECT *, MATCH (title, text) AGAINST (\"" . mysql_real_escape_string($title) . "\") AS score FROM updates WHERE MATCH (title, text) AGAINST (\"" . mysql_real_escape_string($title) . "\") AND id <> " . $avoid . " LIMIT 0,5";
288 $getrelated2 = mysql_query($getrelated); 288 $getrelated2 = mysql_query($getrelated);
289 $i=0; 289 $i=0;
290 while ($getrelated3[$i] = mysql_fetch_array($getrelated2)) 290 while ($getrelated3[$i] = mysql_fetch_array($getrelated2))