Replaced addslashes()

Many SQL queries were using the function addslashes() to escape their content. They have been replaced with the more secure mysql_real_escape_string() function.
author: Starla Insigna <hatkirby@fourisland.com> 2008-12-19 23:16:04 -0500
committer: Starla Insigna <hatkirby@fourisland.com> 2008-12-19 23:16:04 -0500
commit: 49422ceb232a21683a3512eda1c3f360b65bffc3 (patch)
tree: 21468bc013af5ba83c2d1ff0d41246f12aeab219 /pages/admin.php
parent: 0cf887cd8679223a7a3ef12c697f6d4e1144b0e3 (diff)
download: fourisland-49422ceb232a21683a3512eda1c3f360b65bffc3.tar.gz
fourisland-49422ceb232a21683a3512eda1c3f360b65bffc3.tar.bz2
fourisland-49422ceb232a21683a3512eda1c3f360b65bffc3.zip
1 files changed, 9 insertions, 9 deletions
diff --git a/pages/admin.php b/pages/admin.php
index ecd90f5..90e540a 100755
--- a/pages/admin.php
+++ b/pages/admin.php

@@ -41,7 +41,7 @@ if (isLoggedIn())
                                if ($_POST['type'] == 'draft')
                                {
-                                        $insdraft = "INSERT INTO drafts (title,author,text,slug) VALUES (\"" . addslashes($_POST['title']) . "\",\"" . sess_get('uname') . "\",\"" . addslashes($_POST['text']) . "\",\"" . generateSlug($_POST['title'],'updates') . "\")";
+                                        $insdraft = "INSERT INTO drafts (title,author,text,slug) VALUES (\"" . mysql_real_escape_string($_POST['title']) . "\",\"" . sess_get('uname') . "\",\"" . mysql_real_escape_string($_POST['text']) . "\",\"" . generateSlug($_POST['title'],'updates') . "\")";
                                        $insdraft2 = mysql_query($insdraft);
                                        $id = mysql_insert_id();
@@ -87,7 +87,7 @@ if (isLoggedIn())
                                                generateError(404);
                                        }
-                                        $inspending = "INSERT INTO pending (id,title,author,text,slug) VALUES (" . $id . ",\"" . addslashes($_POST['title']) . "\",\"" . sess_get('uname') . "\",\"" . addslashes($_POST['text']) . "\",\"" . generateSlug($_POST['title'],'updates') . "\")";
+                                        $inspending = "INSERT INTO pending (id,title,author,text,slug) VALUES (" . $id . ",\"" . mysql_real_escape_string($_POST['title']) . "\",\"" . sess_get('uname') . "\",\"" . mysql_real_escape_string($_POST['text']) . "\",\"" . generateSlug($_POST['title'],'updates') . "\")";
                                        $inspending2 = mysql_query($inspending);
                                        addTags($id, $tags, 'pending');
@@ -131,7 +131,7 @@ if (isLoggedIn())
                                        if ($_POST['type'] == 'draft')
                                        {
-                                                $setdraft = "UPDATE drafts SET title = \"" . addslashes($_POST['title']) . "\", text = \"" . addslashes($_POST['text']) . "\" WHERE id = " . $_GET['id'];
+                                                $setdraft = "UPDATE drafts SET title = \"" . mysql_real_escape_string($_POST['title']) . "\", text = \"" . mysql_real_escape_string($_POST['text']) . "\" WHERE id = " . $_GET['id'];
                                                $setdraft2 = mysql_query($setdraft);
                                                addTags($_GET['id'], $tags, 'draft');
@@ -179,7 +179,7 @@ if (isLoggedIn())
                                                        generateError(404);
                                                }
-                                                $inspending = "INSERT INTO pending (id,title,author,text,slug) VALUES (" . $id . ",\"" . addslashes($_POST['title']) . "\",\"" . sess_get('uname') . "\",\"" . addslashes($_POST['text']) . "\",\"" . generateSlug($_POST['title'],'updates') . "\")";
+                                                $inspending = "INSERT INTO pending (id,title,author,text,slug) VALUES (" . $id . ",\"" . mysql_real_escape_string($_POST['title']) . "\",\"" . sess_get('uname') . "\",\"" . mysql_real_escape_string($_POST['text']) . "\",\"" . generateSlug($_POST['title'],'updates') . "\")";
                                                $inspending2 = mysql_query($inspending);
                                                addTags($id, $tags, 'pending');
@@ -284,7 +284,7 @@ if (isLoggedIn())
                                } else {
                                        $tags = explode(',', $_POST['tags']);
-                                        $setpending = "UPDATE pending SET title = \"" . addslashes($_POST['title']) . "\", text = \"" . addslashes($_POST['text']) . "\" WHERE id = " . $_GET['id'];
+                                        $setpending = "UPDATE pending SET title = \"" . mysql_real_escape_string($_POST['title']) . "\", text = \"" . mysql_real_escape_string($_POST['text']) . "\" WHERE id = " . $_GET['id'];
                                        $setpending2 = mysql_query($setpending);
                                        removeTags($_GET['id'], 'pending');
@@ -454,7 +454,7 @@ if (isLoggedIn())
                                } else {
                                        $tags = explode(',', $_POST['tags']);
-                                        $setpost = "UPDATE updates SET title = \"" . addslashes($_POST['title']) . "\", text = \"" . addslashes($_POST['text']) . "\" WHERE id = " . $_GET['id'];
+                                        $setpost = "UPDATE updates SET title = \"" . mysql_real_escape_string($_POST['title']) . "\", text = \"" . mysql_real_escape_string($_POST['text']) . "\" WHERE id = " . $_GET['id'];
                                        $setpost2 = mysql_query($setpost);
                                        removeTags($_GET['id']);
@@ -601,13 +601,13 @@ if (isLoggedIn())
                                $template = new FITemplate('admin/pollrss');
                        } else if ($_GET['step'] == 2)
                        {
-                                $insrss = "INSERT INTO pollrss (author,rss) VALUES (\"" . sess_get('uname') . "\",\"" . addslashes($_POST['text']) . "\")";
+                                $insrss = "INSERT INTO pollrss (author,rss) VALUES (\"" . sess_get('uname') . "\",\"" . mysql_real_escape_string($_POST['text']) . "\")";
                                $insrss2 = mysql_query($insrss);
                                $template = new FITemplate('admin/newPoll');
                        } else if ($_GET['step'] == 3)
                        {
-                                $inspoll = "INSERT INTO polloftheweek (question,option1,option2,option3,option4) VALUES (\"" . addslashes($_POST['question']) . "\",\"" . $_POST['option1'] . "\",\"" . $_POST['option2'] . "\",\"" . $_POST['option3'] . "\",\"" . $_POST['option4'] . "\")";
+                                $inspoll = "INSERT INTO polloftheweek (question,option1,option2,option3,option4) VALUES (\"" . mysql_real_escape_string($_POST['question']) . "\",\"" . $_POST['option1'] . "\",\"" . $_POST['option2'] . "\",\"" . $_POST['option3'] . "\",\"" . $_POST['option4'] . "\")";
                                $inspoll2 = mysql_query($inspoll);
                                $cleardid = "TRUNCATE TABLE didpollalready";
@@ -654,7 +654,7 @@ if (isLoggedIn())
                                if (isset($_GET['approve']))
                                {
                                        $today = mktime(date('G'),date('i'),date('s'),date('m'),date('d'),date('Y'));
-                                        $insquote = "INSERT INTO rash_quotes (quote,date) VALUES (\"" . addslashes($getpending3['quote']) . "\",\"" . $today . "\")";
+                                        $insquote = "INSERT INTO rash_quotes (quote,date) VALUES (\"" . mysql_real_escape_string($getpending3['quote']) . "\",\"" . $today . "\")";
                                        $insquote2 = mysql_query($insquote);
                                        $delpending = "DELETE FROM rash_queue WHERE id = " . $_GET['id'];
author	Starla Insigna <hatkirby@fourisland.com>	2008-12-19 23:16:04 -0500
committer	Starla Insigna <hatkirby@fourisland.com>	2008-12-19 23:16:04 -0500
commit	49422ceb232a21683a3512eda1c3f360b65bffc3 (patch)
tree	21468bc013af5ba83c2d1ff0d41246f12aeab219 /pages/admin.php
parent	0cf887cd8679223a7a3ef12c697f6d4e1144b0e3 (diff)
download	fourisland-49422ceb232a21683a3512eda1c3f360b65bffc3.tar.gz fourisland-49422ceb232a21683a3512eda1c3f360b65bffc3.tar.bz2 fourisland-49422ceb232a21683a3512eda1c3f360b65bffc3.zip

diff --git a/pages/admin.php b/pages/admin.php index ecd90f5..90e540a 100755 --- a/pages/admin.php +++ b/pages/admin.php
@@ -41,7 +41,7 @@ if (isLoggedIn())
41		41
42	if ($_POST['type'] == 'draft')	42	if ($_POST['type'] == 'draft')
43	{	43	{
44	$insdraft = "INSERT INTO drafts (title,author,text,slug) VALUES (\"" . addslashes($_POST['title']) . "\",\"" . sess_get('uname') . "\",\"" . addslashes($_POST['text']) . "\",\"" . generateSlug($_POST['title'],'updates') . "\")";	44	$insdraft = "INSERT INTO drafts (title,author,text,slug) VALUES (\"" . mysql_real_escape_string($_POST['title']) . "\",\"" . sess_get('uname') . "\",\"" . mysql_real_escape_string($_POST['text']) . "\",\"" . generateSlug($_POST['title'],'updates') . "\")";
45	$insdraft2 = mysql_query($insdraft);	45	$insdraft2 = mysql_query($insdraft);
46		46
47	$id = mysql_insert_id();	47	$id = mysql_insert_id();
@@ -87,7 +87,7 @@ if (isLoggedIn())
87	generateError(404);	87	generateError(404);
88	}	88	}
89		89
90	$inspending = "INSERT INTO pending (id,title,author,text,slug) VALUES (" . $id . ",\"" . addslashes($_POST['title']) . "\",\"" . sess_get('uname') . "\",\"" . addslashes($_POST['text']) . "\",\"" . generateSlug($_POST['title'],'updates') . "\")";	90	$inspending = "INSERT INTO pending (id,title,author,text,slug) VALUES (" . $id . ",\"" . mysql_real_escape_string($_POST['title']) . "\",\"" . sess_get('uname') . "\",\"" . mysql_real_escape_string($_POST['text']) . "\",\"" . generateSlug($_POST['title'],'updates') . "\")";
91	$inspending2 = mysql_query($inspending);	91	$inspending2 = mysql_query($inspending);
92		92
93	addTags($id, $tags, 'pending');	93	addTags($id, $tags, 'pending');
@@ -131,7 +131,7 @@ if (isLoggedIn())
131		131
132	if ($_POST['type'] == 'draft')	132	if ($_POST['type'] == 'draft')
133	{	133	{
134	$setdraft = "UPDATE drafts SET title = \"" . addslashes($_POST['title']) . "\", text = \"" . addslashes($_POST['text']) . "\" WHERE id = " . $_GET['id'];	134	$setdraft = "UPDATE drafts SET title = \"" . mysql_real_escape_string($_POST['title']) . "\", text = \"" . mysql_real_escape_string($_POST['text']) . "\" WHERE id = " . $_GET['id'];
135	$setdraft2 = mysql_query($setdraft);	135	$setdraft2 = mysql_query($setdraft);
136		136
137	addTags($_GET['id'], $tags, 'draft');	137	addTags($_GET['id'], $tags, 'draft');
@@ -179,7 +179,7 @@ if (isLoggedIn())
179	generateError(404);	179	generateError(404);
180	}	180	}
181		181
182	$inspending = "INSERT INTO pending (id,title,author,text,slug) VALUES (" . $id . ",\"" . addslashes($_POST['title']) . "\",\"" . sess_get('uname') . "\",\"" . addslashes($_POST['text']) . "\",\"" . generateSlug($_POST['title'],'updates') . "\")";	182	$inspending = "INSERT INTO pending (id,title,author,text,slug) VALUES (" . $id . ",\"" . mysql_real_escape_string($_POST['title']) . "\",\"" . sess_get('uname') . "\",\"" . mysql_real_escape_string($_POST['text']) . "\",\"" . generateSlug($_POST['title'],'updates') . "\")";
183	$inspending2 = mysql_query($inspending);	183	$inspending2 = mysql_query($inspending);
184		184
185	addTags($id, $tags, 'pending');	185	addTags($id, $tags, 'pending');
@@ -284,7 +284,7 @@ if (isLoggedIn())
284	} else {	284	} else {
285	$tags = explode(',', $_POST['tags']);	285	$tags = explode(',', $_POST['tags']);
286		286
287	$setpending = "UPDATE pending SET title = \"" . addslashes($_POST['title']) . "\", text = \"" . addslashes($_POST['text']) . "\" WHERE id = " . $_GET['id'];	287	$setpending = "UPDATE pending SET title = \"" . mysql_real_escape_string($_POST['title']) . "\", text = \"" . mysql_real_escape_string($_POST['text']) . "\" WHERE id = " . $_GET['id'];
288	$setpending2 = mysql_query($setpending);	288	$setpending2 = mysql_query($setpending);
289		289
290	removeTags($_GET['id'], 'pending');	290	removeTags($_GET['id'], 'pending');
@@ -454,7 +454,7 @@ if (isLoggedIn())
454	} else {	454	} else {
455	$tags = explode(',', $_POST['tags']);	455	$tags = explode(',', $_POST['tags']);
456		456
457	$setpost = "UPDATE updates SET title = \"" . addslashes($_POST['title']) . "\", text = \"" . addslashes($_POST['text']) . "\" WHERE id = " . $_GET['id'];	457	$setpost = "UPDATE updates SET title = \"" . mysql_real_escape_string($_POST['title']) . "\", text = \"" . mysql_real_escape_string($_POST['text']) . "\" WHERE id = " . $_GET['id'];
458	$setpost2 = mysql_query($setpost);	458	$setpost2 = mysql_query($setpost);
459		459
460	removeTags($_GET['id']);	460	removeTags($_GET['id']);
@@ -601,13 +601,13 @@ if (isLoggedIn())
601	$template = new FITemplate('admin/pollrss');	601	$template = new FITemplate('admin/pollrss');
602	} else if ($_GET['step'] == 2)	602	} else if ($_GET['step'] == 2)
603	{	603	{
604	$insrss = "INSERT INTO pollrss (author,rss) VALUES (\"" . sess_get('uname') . "\",\"" . addslashes($_POST['text']) . "\")";	604	$insrss = "INSERT INTO pollrss (author,rss) VALUES (\"" . sess_get('uname') . "\",\"" . mysql_real_escape_string($_POST['text']) . "\")";
605	$insrss2 = mysql_query($insrss);	605	$insrss2 = mysql_query($insrss);
606		606
607	$template = new FITemplate('admin/newPoll');	607	$template = new FITemplate('admin/newPoll');
608	} else if ($_GET['step'] == 3)	608	} else if ($_GET['step'] == 3)
609	{	609	{
610	$inspoll = "INSERT INTO polloftheweek (question,option1,option2,option3,option4) VALUES (\"" . addslashes($_POST['question']) . "\",\"" . $_POST['option1'] . "\",\"" . $_POST['option2'] . "\",\"" . $_POST['option3'] . "\",\"" . $_POST['option4'] . "\")";	610	$inspoll = "INSERT INTO polloftheweek (question,option1,option2,option3,option4) VALUES (\"" . mysql_real_escape_string($_POST['question']) . "\",\"" . $_POST['option1'] . "\",\"" . $_POST['option2'] . "\",\"" . $_POST['option3'] . "\",\"" . $_POST['option4'] . "\")";
611	$inspoll2 = mysql_query($inspoll);	611	$inspoll2 = mysql_query($inspoll);
612		612
613	$cleardid = "TRUNCATE TABLE didpollalready";	613	$cleardid = "TRUNCATE TABLE didpollalready";
@@ -654,7 +654,7 @@ if (isLoggedIn())
654	if (isset($_GET['approve']))	654	if (isset($_GET['approve']))
655	{	655	{
656	$today = mktime(date('G'),date('i'),date('s'),date('m'),date('d'),date('Y'));	656	$today = mktime(date('G'),date('i'),date('s'),date('m'),date('d'),date('Y'));
657	$insquote = "INSERT INTO rash_quotes (quote,date) VALUES (\"" . addslashes($getpending3['quote']) . "\",\"" . $today . "\")";	657	$insquote = "INSERT INTO rash_quotes (quote,date) VALUES (\"" . mysql_real_escape_string($getpending3['quote']) . "\",\"" . $today . "\")";
658	$insquote2 = mysql_query($insquote);	658	$insquote2 = mysql_query($insquote);
659		659
660	$delpending = "DELETE FROM rash_queue WHERE id = " . $_GET['id'];	660	$delpending = "DELETE FROM rash_queue WHERE id = " . $_GET['id'];