Replaced addslashes()

Many SQL queries were using the function addslashes() to escape their content. They have been replaced with the more secure mysql_real_escape_string() function.
author: Starla Insigna <hatkirby@fourisland.com> 2008-12-19 23:16:04 -0500
committer: Starla Insigna <hatkirby@fourisland.com> 2008-12-19 23:16:04 -0500
commit: 49422ceb232a21683a3512eda1c3f360b65bffc3 (patch)
tree: 21468bc013af5ba83c2d1ff0d41246f12aeab219 /pages/quotes.php
parent: 0cf887cd8679223a7a3ef12c697f6d4e1144b0e3 (diff)
download: fourisland-49422ceb232a21683a3512eda1c3f360b65bffc3.tar.gz
fourisland-49422ceb232a21683a3512eda1c3f360b65bffc3.tar.bz2
fourisland-49422ceb232a21683a3512eda1c3f360b65bffc3.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/pages/quotes.php b/pages/quotes.php
index 8aaa5db..55d12d9 100755
--- a/pages/quotes.php
+++ b/pages/quotes.php

@@ -43,10 +43,10 @@ if ((!isset($_GET['act'])) || ($_GET['act'] == 'latest'))
                $template->adds_block('SUBMITTED',array('QUOTE' => (nl2br(htmlspecialchars($_POST['rash_quote'])) . "\n")));
                if (!isLoggedIn())
                {
-                        $insquote = "INSERT INTO rash_queue (quote) VALUES(\"" . addslashes(htmlspecialchars($_POST['rash_quote'])) . "\")";
+                        $insquote = "INSERT INTO rash_queue (quote) VALUES(\"" . mysql_real_escape_string(htmlspecialchars($_POST['rash_quote'])) . "\")";
                } else {
                        $today = mktime(date('G'),date('i'),date('s'),date('m'),date('d'),date('Y'));
-                        $insquote = "INSERT INTO rash_quotes (quote, rating, flag, date) VALUES (\"" . addslashes($_POST['rash_quote']) . "\", 0, 0, \"" . $today . "\")";
+                        $insquote = "INSERT INTO rash_quotes (quote, rating, flag, date) VALUES (\"" . mysql_real_escape_string($_POST['rash_quote']) . "\", 0, 0, \"" . $today . "\")";
                }
                $insquote2 = mysql_query($insquote);
        }
author	Starla Insigna <hatkirby@fourisland.com>	2008-12-19 23:16:04 -0500
committer	Starla Insigna <hatkirby@fourisland.com>	2008-12-19 23:16:04 -0500
commit	49422ceb232a21683a3512eda1c3f360b65bffc3 (patch)
tree	21468bc013af5ba83c2d1ff0d41246f12aeab219 /pages/quotes.php
parent	0cf887cd8679223a7a3ef12c697f6d4e1144b0e3 (diff)
download	fourisland-49422ceb232a21683a3512eda1c3f360b65bffc3.tar.gz fourisland-49422ceb232a21683a3512eda1c3f360b65bffc3.tar.bz2 fourisland-49422ceb232a21683a3512eda1c3f360b65bffc3.zip

diff --git a/pages/quotes.php b/pages/quotes.php index 8aaa5db..55d12d9 100755 --- a/pages/quotes.php +++ b/pages/quotes.php
@@ -43,10 +43,10 @@ if ((!isset($_GET['act'])) \|\| ($_GET['act'] == 'latest'))
43	$template->adds_block('SUBMITTED',array('QUOTE' => (nl2br(htmlspecialchars($_POST['rash_quote'])) . "\n")));	43	$template->adds_block('SUBMITTED',array('QUOTE' => (nl2br(htmlspecialchars($_POST['rash_quote'])) . "\n")));
44	if (!isLoggedIn())	44	if (!isLoggedIn())
45	{	45	{
46	$insquote = "INSERT INTO rash_queue (quote) VALUES(\"" . addslashes(htmlspecialchars($_POST['rash_quote'])) . "\")";	46	$insquote = "INSERT INTO rash_queue (quote) VALUES(\"" . mysql_real_escape_string(htmlspecialchars($_POST['rash_quote'])) . "\")";
47	} else {	47	} else {
48	$today = mktime(date('G'),date('i'),date('s'),date('m'),date('d'),date('Y'));	48	$today = mktime(date('G'),date('i'),date('s'),date('m'),date('d'),date('Y'));
49	$insquote = "INSERT INTO rash_quotes (quote, rating, flag, date) VALUES (\"" . addslashes($_POST['rash_quote']) . "\", 0, 0, \"" . $today . "\")";	49	$insquote = "INSERT INTO rash_quotes (quote, rating, flag, date) VALUES (\"" . mysql_real_escape_string($_POST['rash_quote']) . "\", 0, 0, \"" . $today . "\")";
50	}	50	}
51	$insquote2 = mysql_query($insquote);	51	$insquote2 = mysql_query($insquote);
52	}	52	}