From 49422ceb232a21683a3512eda1c3f360b65bffc3 Mon Sep 17 00:00:00 2001
From: Starla Insigna <hatkirby@fourisland.com>
Date: Fri, 19 Dec 2008 23:16:04 -0500
Subject: Replaced addslashes()

Many SQL queries were using the function addslashes() to escape their content. They have been replaced with the more secure
mysql_real_escape_string() function.
---
 pages/quotes.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'pages/quotes.php')

diff --git a/pages/quotes.php b/pages/quotes.php
index 8aaa5db..55d12d9 100755
--- a/pages/quotes.php
+++ b/pages/quotes.php
@@ -43,10 +43,10 @@ if ((!isset($_GET['act'])) || ($_GET['act'] == 'latest'))
 		$template->adds_block('SUBMITTED',array('QUOTE' => (nl2br(htmlspecialchars($_POST['rash_quote'])) . "\n")));
 		if (!isLoggedIn())
 		{
-			$insquote = "INSERT INTO rash_queue (quote) VALUES(\"" . addslashes(htmlspecialchars($_POST['rash_quote'])) . "\")";
+			$insquote = "INSERT INTO rash_queue (quote) VALUES(\"" . mysql_real_escape_string(htmlspecialchars($_POST['rash_quote'])) . "\")";
 		} else {
 			$today = mktime(date('G'),date('i'),date('s'),date('m'),date('d'),date('Y'));
-			$insquote = "INSERT INTO rash_quotes (quote, rating, flag, date) VALUES (\"" . addslashes($_POST['rash_quote']) . "\", 0, 0, \"" . $today . "\")";
+			$insquote = "INSERT INTO rash_quotes (quote, rating, flag, date) VALUES (\"" . mysql_real_escape_string($_POST['rash_quote']) . "\", 0, 0, \"" . $today . "\")";
 		}
 		$insquote2 = mysql_query($insquote);
 	}
-- 
cgit 1.4.1