Ignore:
Timestamp:
May 18, 2011, 10:32:20 PM (13 years ago)
Author:
J.Commelin
Message:

Added banners to php files.
Escaped user data that would be inserted in queries.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • extensions/Copyrights/admin.php

    r10874 r10931  
    11<?php
     2// +-----------------------------------------------------------------------+
     3// | Piwigo - a PHP based picture gallery                                  |
     4// +-----------------------------------------------------------------------+
     5// | Copyright(C) 2008-2009 Piwigo Team                  http://piwigo.org |
     6// | Copyright(C) 2003-2008 PhpWebGallery Team    http://phpwebgallery.net |
     7// | Copyright(C) 2002-2003 Pierrick LE GALL   http://le-gall.net/pierrick |
     8// +-----------------------------------------------------------------------+
     9// | This program is free software; you can redistribute it and/or modify  |
     10// | it under the terms of the GNU General Public License as published by  |
     11// | the Free Software Foundation                                          |
     12// |                                                                       |
     13// | This program is distributed in the hope that it will be useful, but   |
     14// | WITHOUT ANY WARRANTY; without even the implied warranty of            |
     15// | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU      |
     16// | General Public License for more details.                              |
     17// |                                                                       |
     18// | You should have received a copy of the GNU General Public License     |
     19// | along with this program; if not, write to the Free Software           |
     20// | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, |
     21// | USA.                                                                  |
     22// +-----------------------------------------------------------------------+
    223
    324if (!defined("PHPWG_ROOT_PATH")){
     
    2243if (isset($_GET['tab'])) {
    2344  if ($_GET['tab'] == 'create') {
    24     $name = $_REQUEST['name'];
    25     $url = $_REQUEST['url'];
     45    $name = pwg_db_real_escape_string($_REQUEST['name']);
     46    $url = pwg_db_real_escape_string($_REQUEST['url']);
    2647    $visible = (isset($_REQUEST['visible']) ? 1 : 0);
    27     $query = '
    28       INSERT INTO '.COPYRIGHTS_ADMIN.'
     48    $query = sprintf(
     49      'INSERT INTO %s
    2950      (`name`,`url`,`visible`) VALUES
    30       ("'.$name.'","'.$url.'",'.$visible.')
    31       ;';
     51      ("%s","%s",%d)
     52      ;',
     53      COPYRIGHTS_ADMIN, $name, $url, $visible);
    3254    pwg_query($query);
    3355  }
     
    3658    $edit = 1;
    3759    $CRid = $_REQUEST['id'];
    38     $query = '
    39       SELECT *
    40       FROM '.COPYRIGHTS_ADMIN.'
    41       WHERE `cr_id`='.$CRid.'
    42       ;';
     60    $query = sprintf(
     61      'SELECT *
     62      FROM %s
     63      WHERE `cr_id`=%d
     64      ;',
     65      COPYRIGHTS_ADMIN, $CRid);
    4366    $result = pwg_query($query);
    4467    $row = pwg_db_fetch_assoc($result);
     
    4972
    5073  if ($_GET['tab'] == 'update') {
    51     $id = $_REQUEST['id'];
    52     $name = $_REQUEST['name'];
    53     $url = $_REQUEST['url'];
     74    $id = pwg_db_real_escape_string($_REQUEST['id']);
     75    $name = pwg_db_real_escape_string($_REQUEST['name']);
     76    $url = pwg_db_real_escape_string($_REQUEST['url']);
    5477    $visible = (isset($_REQUEST['visible']) ? 1 : 0);
    55     $query = '
    56       UPDATE '.$prefixeTable.'copyrights_admin
    57       SET `name`="'.$name.'", `url`="'.$url.'", `visible`='.$visible.'
    58       WHERE `cr_id`='.$id.'
    59       ;';
     78    $query = sprintf(
     79      'UPDATE %s
     80      SET `name`="%s", `url`="%s", `visible`=%d
     81      WHERE `cr_id`=%d
     82      ;',
     83      COPYRIGHTS_ADMIN, $name, $url, $visible, $id);
    6084    pwg_query($query);
    6185  }
     
    6387  if ($_GET['tab'] == 'delete') {
    6488    $id = $_REQUEST['id'];
    65     $query = '
    66       DELETE FROM '.$prefixeTable.'copyrights_admin
    67       WHERE `cr_id`='.$id.'
    68       ;';
     89    $query = sprintf(
     90      'DELETE FROM %s
     91      WHERE `cr_id`=%d
     92      ;',
     93      COPYRIGHTS_ADMIN, $id);
    6994    pwg_query($query);
    7095  }
     
    80105);
    81106
    82 $query = '
    83   SELECT *
    84   FROM '.COPYRIGHTS_ADMIN.'
    85   ;';
     107$query = sprintf(
     108  'SELECT *
     109  FROM %s
     110  ;',
     111  COPYTIGHTS_ADMIN);
    86112$result = pwg_query($query);
    87113
Note: See TracChangeset for help on using the changeset viewer.