about summary refs log tree commit diff stats
path: root/central/trunk/instadisc.php
diff options
context:
space:
mode:
authorKelly Rauchenberger <fefferburbia@gmail.com>2008-08-01 18:34:35 +0000
committerKelly Rauchenberger <fefferburbia@gmail.com>2008-08-01 18:34:35 +0000
commitedc9d436c4e4f9fa3cb00256652190359a4ddc20 (patch)
tree38cf352c9501dfcbb283565d83f9e16c8eff3c60 /central/trunk/instadisc.php
parent0114b7b5ddaf919a61b108f5006a256b81178c3d (diff)
downloadinstadisc-edc9d436c4e4f9fa3cb00256652190359a4ddc20.tar.gz
instadisc-edc9d436c4e4f9fa3cb00256652190359a4ddc20.tar.bz2
instadisc-edc9d436c4e4f9fa3cb00256652190359a4ddc20.zip
Central: MySQL-escaped query strings
Wrapped strings in MySQL queries with mysql_escape_string() to prevent errors and XSS-attacks.
Diffstat (limited to 'central/trunk/instadisc.php')
-rw-r--r--central/trunk/instadisc.php8
1 files changed, 4 insertions, 4 deletions
diff --git a/central/trunk/instadisc.php b/central/trunk/instadisc.php index f4fcd1e..d32d2d7 100644 --- a/central/trunk/instadisc.php +++ b/central/trunk/instadisc.php
@@ -6,7 +6,7 @@ include_once('db.php');
6 6
7function instaDisc_checkVerification($username, $verification, $verificationID, $table, $nameField, $passField) 7function instaDisc_checkVerification($username, $verification, $verificationID, $table, $nameField, $passField)
8{ 8{
9 $getitem = "SELECT * FROM " . $table . " WHERE " . $nameField . " = \"" . $username . "\""; 9 $getitem = "SELECT * FROM " . $table . " WHERE " . $nameField . " = \"" . mysql_escape_string($username) . "\"";
10 $getitem2 = mysql_query($getitem); 10 $getitem2 = mysql_query($getitem);
11 $getitem3 = mysql_fetch_array($getitem2); 11 $getitem3 = mysql_fetch_array($getitem2);
12 if ($getitem3[$nameField] == $username) 12 if ($getitem3[$nameField] == $username)
@@ -41,16 +41,16 @@ function instaDisc_sendDatabase($cserver)
41 41
42function instaDisc_addItem($username, $subscription, $title, $author, $url, $semantics) 42function instaDisc_addItem($username, $subscription, $title, $author, $url, $semantics)
43{ 43{
44 $getuser = "SELECT * FROM users WHERE username = \"" . $username . "\""; 44 $getuser = "SELECT * FROM users WHERE username = \"" . mysql_escape_string($username) . "\"";
45 $getuser2 = mysql_query($getuser); 45 $getuser2 = mysql_query($getuser);
46 $getuser3 = mysql_fetch_array($getuser2); 46 $getuser3 = mysql_fetch_array($getuser2);
47 if ($getuser3['username'] == $username) 47 if ($getuser3['username'] == $username)
48 { 48 {
49 $itemID = $getuser3['nextItemID']; 49 $itemID = $getuser3['nextItemID'];
50 $setuser = "UPDATE users SET nextItemID = nextItemID+1 WHERE username = \"" . $username . "\""; 50 $setuser = "UPDATE users SET nextItemID = nextItemID+1 WHERE username = \"" . mysql_escape_string($username) . "\"";
51 $setuser2 = mysql_query($setuser); 51 $setuser2 = mysql_query($setuser);
52 52
53 $insitem = "INSERT INTO inbox (username, itemID, subscription, title, author, url, semantics) VALUES (\"" . $username . "\", " . $itemID . ", \"" . $subscription . "\", \"" . $title . "\", \"" . $author . "\", \"" . $url . "\", \"" . serialize($semantics) . "\")"; 53 $insitem = "INSERT INTO inbox (username, itemID, subscription, title, author, url, semantics) VALUES (\"" . mysql_escape_string($username) . "\", " . $itemID . ", \"" . mysql_escape_string($subscription) . "\", \"" . mysql_escape_string($title) . "\", \"" . mysql_escape_string($author) . "\", \"" . mysql_escape_string($url) . "\", \"" . mysql_escape_string(serialize($semantics)) . "\")";
54 $insitem2 = mysql_query($insitem); 54 $insitem2 = mysql_query($insitem);
55 55
56 instaDisc_sendItem($username, $itemID); 56 instaDisc_sendItem($username, $itemID);
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-11-16 10:50:19 +0000