From 49422ceb232a21683a3512eda1c3f360b65bffc3 Mon Sep 17 00:00:00 2001 From: Starla Insigna Date: Fri, 19 Dec 2008 23:16:04 -0500 Subject: Replaced addslashes() Many SQL queries were using the function addslashes() to escape their content. They have been replaced with the more secure mysql_real_escape_string() function. --- includes/functions.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'includes/functions.php') diff --git a/includes/functions.php b/includes/functions.php index 881bfd1..7c06077 100755 --- a/includes/functions.php +++ b/includes/functions.php @@ -115,7 +115,7 @@ function postBlogPost($title,$author,$tags,$content) { $slug = generateSlug($title,'updates'); - $inspost = "INSERT INTO updates (title,slug,author,text) VALUES (\"" . $title . "\",\"" . $slug . "\",\"" . $author . "\",\"" . addslashes($content) . "\")"; + $inspost = "INSERT INTO updates (title,slug,author,text) VALUES (\"" . $title . "\",\"" . $slug . "\",\"" . $author . "\",\"" . mysql_real_escape_string($content) . "\")"; $inspost2 = mysql_query($inspost); $id = mysql_insert_id(); @@ -284,7 +284,7 @@ if (!function_exists('unique_id')) function displayRelated($title, $avoid = 0) { - $getrelated = "SELECT *, MATCH (title, text) AGAINST (\"" . addslashes($title) . "\") AS score FROM updates WHERE MATCH (title, text) AGAINST (\"" . addslashes($title) . "\") AND id <> " . $avoid . " LIMIT 0,5"; + $getrelated = "SELECT *, MATCH (title, text) AGAINST (\"" . mysql_real_escape_string($title) . "\") AS score FROM updates WHERE MATCH (title, text) AGAINST (\"" . mysql_real_escape_string($title) . "\") AND id <> " . $avoid . " LIMIT 0,5"; $getrelated2 = mysql_query($getrelated); $i=0; while ($getrelated3[$i] = mysql_fetch_array($getrelated2)) -- cgit 1.4.1