1 files changed, 4 insertions, 4 deletions
diff --git a/central/trunk/instadisc.php b/central/trunk/instadisc.php
index f4fcd1e..d32d2d7 100644
--- a/central/trunk/instadisc.php
+++ b/central/trunk/instadisc.php

@@ -6,7 +6,7 @@ include_once('db.php');
 function instaDisc_checkVerification($username, $verification, $verificationID, $table, $nameField, $passField)
 {
-        $getitem = "SELECT * FROM " . $table . " WHERE " . $nameField . " = \"" . $username . "\"";
+        $getitem = "SELECT * FROM " . $table . " WHERE " . $nameField . " = \"" . mysql_escape_string($username) . "\"";
        $getitem2 = mysql_query($getitem);
        $getitem3 = mysql_fetch_array($getitem2);
        if ($getitem3[$nameField] == $username)
@@ -41,16 +41,16 @@ function instaDisc_sendDatabase($cserver)
 function instaDisc_addItem($username, $subscription, $title, $author, $url, $semantics)
 {
-        $getuser = "SELECT * FROM users WHERE username = \"" . $username . "\"";
+        $getuser = "SELECT * FROM users WHERE username = \"" . mysql_escape_string($username) . "\"";
        $getuser2 = mysql_query($getuser);
        $getuser3 = mysql_fetch_array($getuser2);
        if ($getuser3['username'] == $username)
        {
                $itemID = $getuser3['nextItemID'];
-                $setuser = "UPDATE users SET nextItemID = nextItemID+1 WHERE username = \"" . $username . "\"";
+                $setuser = "UPDATE users SET nextItemID = nextItemID+1 WHERE username = \"" . mysql_escape_string($username) . "\"";
                $setuser2 = mysql_query($setuser);
-                $insitem = "INSERT INTO inbox (username, itemID, subscription, title, author, url, semantics) VALUES (\"" . $username . "\", " . $itemID . ", \"" . $subscription . "\", \"" . $title . "\", \"" . $author . "\", \"" . $url . "\", \"" . serialize($semantics) . "\")";
+                $insitem = "INSERT INTO inbox (username, itemID, subscription, title, author, url, semantics) VALUES (\"" . mysql_escape_string($username) . "\", " . $itemID . ", \"" . mysql_escape_string($subscription) . "\", \"" . mysql_escape_string($title) . "\", \"" . mysql_escape_string($author) . "\", \"" . mysql_escape_string($url) . "\", \"" . mysql_escape_string(serialize($semantics)) . "\")";
                $insitem2 = mysql_query($insitem);
                instaDisc_sendItem($username, $itemID);

diff --git a/central/trunk/instadisc.php b/central/trunk/instadisc.php index f4fcd1e..d32d2d7 100644 --- a/central/trunk/instadisc.php +++ b/central/trunk/instadisc.php
@@ -6,7 +6,7 @@ include_once('db.php');
6		6
7	function instaDisc_checkVerification($username, $verification, $verificationID, $table, $nameField, $passField)	7	function instaDisc_checkVerification($username, $verification, $verificationID, $table, $nameField, $passField)
8	{	8	{
9	$getitem = "SELECT * FROM " . $table . " WHERE " . $nameField . " = \"" . $username . "\"";	9	$getitem = "SELECT * FROM " . $table . " WHERE " . $nameField . " = \"" . mysql_escape_string($username) . "\"";
10	$getitem2 = mysql_query($getitem);	10	$getitem2 = mysql_query($getitem);
11	$getitem3 = mysql_fetch_array($getitem2);	11	$getitem3 = mysql_fetch_array($getitem2);
12	if ($getitem3[$nameField] == $username)	12	if ($getitem3[$nameField] == $username)
@@ -41,16 +41,16 @@ function instaDisc_sendDatabase($cserver)
41		41
42	function instaDisc_addItem($username, $subscription, $title, $author, $url, $semantics)	42	function instaDisc_addItem($username, $subscription, $title, $author, $url, $semantics)
43	{	43	{
44	$getuser = "SELECT * FROM users WHERE username = \"" . $username . "\"";	44	$getuser = "SELECT * FROM users WHERE username = \"" . mysql_escape_string($username) . "\"";
45	$getuser2 = mysql_query($getuser);	45	$getuser2 = mysql_query($getuser);
46	$getuser3 = mysql_fetch_array($getuser2);	46	$getuser3 = mysql_fetch_array($getuser2);
47	if ($getuser3['username'] == $username)	47	if ($getuser3['username'] == $username)
48	{	48	{
49	$itemID = $getuser3['nextItemID'];	49	$itemID = $getuser3['nextItemID'];
50	$setuser = "UPDATE users SET nextItemID = nextItemID+1 WHERE username = \"" . $username . "\"";	50	$setuser = "UPDATE users SET nextItemID = nextItemID+1 WHERE username = \"" . mysql_escape_string($username) . "\"";
51	$setuser2 = mysql_query($setuser);	51	$setuser2 = mysql_query($setuser);
52		52
53	$insitem = "INSERT INTO inbox (username, itemID, subscription, title, author, url, semantics) VALUES (\"" . $username . "\", " . $itemID . ", \"" . $subscription . "\", \"" . $title . "\", \"" . $author . "\", \"" . $url . "\", \"" . serialize($semantics) . "\")";	53	$insitem = "INSERT INTO inbox (username, itemID, subscription, title, author, url, semantics) VALUES (\"" . mysql_escape_string($username) . "\", " . $itemID . ", \"" . mysql_escape_string($subscription) . "\", \"" . mysql_escape_string($title) . "\", \"" . mysql_escape_string($author) . "\", \"" . mysql_escape_string($url) . "\", \"" . mysql_escape_string(serialize($semantics)) . "\")";
54	$insitem2 = mysql_query($insitem);	54	$insitem2 = mysql_query($insitem);
55		55
56	instaDisc_sendItem($username, $itemID);	56	instaDisc_sendItem($username, $itemID);