1 files changed, 15 insertions, 15 deletions
diff --git a/admin/editPoll.php b/admin/editPoll.php
index 3a154a3..425f33c 100644
--- a/admin/editPoll.php
+++ b/admin/editPoll.php

@@ -81,21 +81,21 @@ if (isset($_GET['submit']))
                $getpoll2 = mysql_query($getpoll);
                $getpoll3 = mysql_fetch_array($getpoll2);
-                $template->add('QUESTIONVALUE', $_POST['question']);
+                $template->add('QUESTIONVALUE', htmlentities($_POST['question']));
-                $template->add('OPTION1VALUE', $_POST['option1']);
+                $template->add('OPTION1VALUE', htmlentities($_POST['option1']));
-                $template->add('OPTION2VALUE', $_POST['option2']);
+                $template->add('OPTION2VALUE', htmlentities($_POST['option2']));
-                $template->add('OPTION3VALUE', $_POST['option3']);
+                $template->add('OPTION3VALUE', htmlentities($_POST['option3']));
-                $template->add('OPTION4VALUE', $_POST['option4']);
+                $template->add('OPTION4VALUE', htmlentities($_POST['option4']));
                $template->add('TEXTVALUE', $_POST['text']);
        } else {
                $inspoll = "UPDATE polloftheweek SET question = \"" . mysql_real_escape_string($_POST['question']) . "\", option1 = \"" . mysql_real_escape_string($_POST['option1']) . "\", option2 = \"" . mysql_real_escape_string($_POST['option2']) . "\", option3 = \"" . mysql_real_escape_string($_POST['option3']) . "\", option4 = \"" . mysql_real_escape_string($_POST['option4']) . "\", text = \"" . mysql_real_escape_string($_POST['text']) . "\" WHERE id = " . $_GET['id'];
                $inspoll2 = mysql_query($inspoll);
-                $template->add('QUESTIONVALUE', $_POST['question']);
+                $template->add('QUESTIONVALUE', htmlentities($_POST['question']));
-                $template->add('OPTION1VALUE', $_POST['option1']);
+                $template->add('OPTION1VALUE', htmlentities($_POST['option1']));
-                $template->add('OPTION2VALUE', $_POST['option2']);
+                $template->add('OPTION2VALUE', htmlentities($_POST['option2']));
-                $template->add('OPTION3VALUE', $_POST['option3']);
+                $template->add('OPTION3VALUE', htmlentities($_POST['option3']));
-                $template->add('OPTION4VALUE', $_POST['option4']);
+                $template->add('OPTION4VALUE', htmlentities($_POST['option4']));
                $template->add('TEXTVALUE', $_POST['text']);
                $template->adds_block('FLASH', array('TEXT' => 'Your poll has been sucessfully edited. <a href="/poll/' . $_GET['id'] . '.php">View poll</a>.'));
@@ -105,11 +105,11 @@ if (isset($_GET['submit']))
        $getpoll2 = mysql_query($getpoll);
        $getpoll3 = mysql_fetch_array($getpoll2);
-        $template->add('QUESTIONVALUE', $getpoll3['question']);
+        $template->add('QUESTIONVALUE', htmlentities($getpoll3['question']));
-        $template->add('OPTION1VALUE', $getpoll3['option1']);
+        $template->add('OPTION1VALUE', htmlentities($getpoll3['option1']));
-        $template->add('OPTION2VALUE', $getpoll3['option2']);
+        $template->add('OPTION2VALUE', htmlentities($getpoll3['option2']));
-        $template->add('OPTION3VALUE', $getpoll3['option3']);
+        $template->add('OPTION3VALUE', htmlentities($getpoll3['option3']));
-        $template->add('OPTION4VALUE', $getpoll3['option4']);
+        $template->add('OPTION4VALUE', htmlentities($getpoll3['option4']));
        $template->add('TEXTVALUE', $getpoll3['text']);
 }

diff --git a/admin/editPoll.php b/admin/editPoll.php index 3a154a3..425f33c 100644 --- a/admin/editPoll.php +++ b/admin/editPoll.php
@@ -81,21 +81,21 @@ if (isset($_GET['submit']))
81	$getpoll2 = mysql_query($getpoll);	81	$getpoll2 = mysql_query($getpoll);
82	$getpoll3 = mysql_fetch_array($getpoll2);	82	$getpoll3 = mysql_fetch_array($getpoll2);
83		83
84	$template->add('QUESTIONVALUE', $_POST['question']);	84	$template->add('QUESTIONVALUE', htmlentities($_POST['question']));
85	$template->add('OPTION1VALUE', $_POST['option1']);	85	$template->add('OPTION1VALUE', htmlentities($_POST['option1']));
86	$template->add('OPTION2VALUE', $_POST['option2']);	86	$template->add('OPTION2VALUE', htmlentities($_POST['option2']));
87	$template->add('OPTION3VALUE', $_POST['option3']);	87	$template->add('OPTION3VALUE', htmlentities($_POST['option3']));
88	$template->add('OPTION4VALUE', $_POST['option4']);	88	$template->add('OPTION4VALUE', htmlentities($_POST['option4']));
89	$template->add('TEXTVALUE', $_POST['text']);	89	$template->add('TEXTVALUE', $_POST['text']);
90	} else {	90	} else {
91	$inspoll = "UPDATE polloftheweek SET question = \"" . mysql_real_escape_string($_POST['question']) . "\", option1 = \"" . mysql_real_escape_string($_POST['option1']) . "\", option2 = \"" . mysql_real_escape_string($_POST['option2']) . "\", option3 = \"" . mysql_real_escape_string($_POST['option3']) . "\", option4 = \"" . mysql_real_escape_string($_POST['option4']) . "\", text = \"" . mysql_real_escape_string($_POST['text']) . "\" WHERE id = " . $_GET['id'];	91	$inspoll = "UPDATE polloftheweek SET question = \"" . mysql_real_escape_string($_POST['question']) . "\", option1 = \"" . mysql_real_escape_string($_POST['option1']) . "\", option2 = \"" . mysql_real_escape_string($_POST['option2']) . "\", option3 = \"" . mysql_real_escape_string($_POST['option3']) . "\", option4 = \"" . mysql_real_escape_string($_POST['option4']) . "\", text = \"" . mysql_real_escape_string($_POST['text']) . "\" WHERE id = " . $_GET['id'];
92	$inspoll2 = mysql_query($inspoll);	92	$inspoll2 = mysql_query($inspoll);
93		93
94	$template->add('QUESTIONVALUE', $_POST['question']);	94	$template->add('QUESTIONVALUE', htmlentities($_POST['question']));
95	$template->add('OPTION1VALUE', $_POST['option1']);	95	$template->add('OPTION1VALUE', htmlentities($_POST['option1']));
96	$template->add('OPTION2VALUE', $_POST['option2']);	96	$template->add('OPTION2VALUE', htmlentities($_POST['option2']));
97	$template->add('OPTION3VALUE', $_POST['option3']);	97	$template->add('OPTION3VALUE', htmlentities($_POST['option3']));
98	$template->add('OPTION4VALUE', $_POST['option4']);	98	$template->add('OPTION4VALUE', htmlentities($_POST['option4']));
99	$template->add('TEXTVALUE', $_POST['text']);	99	$template->add('TEXTVALUE', $_POST['text']);
100		100
101	$template->adds_block('FLASH', array('TEXT' => 'Your poll has been sucessfully edited. <a href="/poll/' . $_GET['id'] . '.php">View poll</a>.'));	101	$template->adds_block('FLASH', array('TEXT' => 'Your poll has been sucessfully edited. <a href="/poll/' . $_GET['id'] . '.php">View poll</a>.'));
@@ -105,11 +105,11 @@ if (isset($_GET['submit']))
105	$getpoll2 = mysql_query($getpoll);	105	$getpoll2 = mysql_query($getpoll);
106	$getpoll3 = mysql_fetch_array($getpoll2);	106	$getpoll3 = mysql_fetch_array($getpoll2);
107		107
108	$template->add('QUESTIONVALUE', $getpoll3['question']);	108	$template->add('QUESTIONVALUE', htmlentities($getpoll3['question']));
109	$template->add('OPTION1VALUE', $getpoll3['option1']);	109	$template->add('OPTION1VALUE', htmlentities($getpoll3['option1']));
110	$template->add('OPTION2VALUE', $getpoll3['option2']);	110	$template->add('OPTION2VALUE', htmlentities($getpoll3['option2']));
111	$template->add('OPTION3VALUE', $getpoll3['option3']);	111	$template->add('OPTION3VALUE', htmlentities($getpoll3['option3']));
112	$template->add('OPTION4VALUE', $getpoll3['option4']);	112	$template->add('OPTION4VALUE', htmlentities($getpoll3['option4']));
113	$template->add('TEXTVALUE', $getpoll3['text']);	113	$template->add('TEXTVALUE', $getpoll3['text']);
114	}	114	}
115		115