Ignore:
Timestamp:
Nov 18, 2009, 9:07:20 PM (14 years ago)
Author:
Eric
Message:

Escape all login and username characters in database
Display correctly usernames

(I hope not to have made mistakes)

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/include/functions_comment.inc.php

    r3600 r4304  
    100100SELECT COUNT(*) AS user_exists
    101101  FROM '.USERS_TABLE.'
    102   WHERE '.$conf['user_fields']['username']." = '".$comm['author']."'";
     102  WHERE '.$conf['user_fields']['username']." = '".addslashes($comm['author'])."'";
    103103      $row = mysql_fetch_assoc( pwg_query( $query ) );
    104104      if ( $row['user_exists'] == 1 )
Note: See TracChangeset for help on using the changeset viewer.