From 9dfba1e70866fb2bb551678f6e04b8ddfd5467e1 Mon Sep 17 00:00:00 2001 From: Starla Insigna Date: Fri, 2 Oct 2009 19:04:20 -0400 Subject: Fixed HTML Entites problem When the poll escaping problem was fixed, a whole ton of other similar bugs were found which were also fixed here. Fixes #115 --- admin/newPoll.php | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) (limited to 'admin/newPoll.php') diff --git a/admin/newPoll.php b/admin/newPoll.php index c924cd9..d105f45 100644 --- a/admin/newPoll.php +++ b/admin/newPoll.php @@ -77,6 +77,13 @@ if (isset($_GET['submit'])) $template->add('TITLE', 'New Poll'); $template->add('ACTION', '/admin/newPoll.php?submit='); + + $template->add('QUESTIONVALUE', htmlentities($_POST['question'])); + $template->add('OPTION1VALUE', htmlentities($_POST['option1'])); + $template->add('OPTION2VALUE', htmlentities($_POST['option2'])); + $template->add('OPTION3VALUE', htmlentities($_POST['option3'])); + $template->add('OPTION4VALUE', htmlentities($_POST['option4'])); + $template->add('TEXTVALUE', htmlentities($_POST['text'])); } else { $inspoll = "INSERT INTO polloftheweek (question,option1,option2,option3,option4,text) VALUES (\"" . mysql_real_escape_string($_POST['question']) . "\",\"" . mysql_real_escape_string($_POST['option1']) . "\",\"" . mysql_real_escape_string($_POST['option2']) . "\",\"" . mysql_real_escape_string($_POST['option3']) . "\",\"" . mysql_real_escape_string($_POST['option4']) . "\",\"" . mysql_real_escape_string($_POST['text']) . "\")"; $inspoll2 = mysql_query($inspoll); @@ -86,12 +93,12 @@ if (isset($_GET['submit'])) $cleardid = "TRUNCATE TABLE didpollalready"; $cleardid2 = mysql_query($cleardid); - $template->add('QUESTIONVALUE', $_POST['question']); - $template->add('OPTION1VALUE', $_POST['option1']); - $template->add('OPTION2VALUE', $_POST['option2']); - $template->add('OPTION3VALUE', $_POST['option3']); - $template->add('OPTION4VALUE', $_POST['option4']); - $template->add('TEXTVALUE', $_POST['text']); + $template->add('QUESTIONVALUE', htmlentities($_POST['question'])); + $template->add('OPTION1VALUE', htmlentities($_POST['option1'])); + $template->add('OPTION2VALUE', htmlentities($_POST['option2'])); + $template->add('OPTION3VALUE', htmlentities($_POST['option3'])); + $template->add('OPTION4VALUE', htmlentities($_POST['option4'])); + $template->add('TEXTVALUE', htmlentities($_POST['text'])); $template->add('TITLE', 'Edit Poll'); $template->add('ACTION', '/admin/editPoll.php?id=' . $id . '&submit='); -- cgit 1.4.1