From 74425f0b5af8a8baea115563914093060fc64540 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alexander=20Nicolaysen=20S=C3=B8rnes?= Date: Tue, 24 Apr 2007 23:36:10 +0000 Subject: [PATCH] Fix TableVE::make_option_list's where handling to prevent sql injection --- include/tableve.php | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/include/tableve.php b/include/tableve.php index c6e209d..ecd6353 100644 --- a/include/tableve.php +++ b/include/tableve.php @@ -171,23 +171,29 @@ class TableVE { echo html_frame_end(); } - function make_option_list($varname, $cvalue, $table, $idField, $nameField, $where = "") + function make_option_list($sVarname, $sCvalue, $sTable, $sIdField, $sNameField, $aWhere = null) { - $hResult = query_parameters("SELECT ?, ? FROM ? ? ORDER BY '?'", - $idField, $nameField, $table, $where, $nameField); + /* We do not allow direct insertion into of SQL code, so the WHERE clause is + is accepted in an array form, where the first element is the variable + and the second is the value it must be equal to */ + if($aWhere) + $sWhere = "WHERE ".$aWhere[0]." ='".$aWhere[1]."'"; + + $hResult = query_parameters("SELECT ?, ? FROM ? $sWhere ORDER BY '?'", + $sIdField, $sNameField, $sTable, $sNameField); if(!$hResult) return; // Oops - echo "\n"; echo "\n"; - while(list($id, $name) = mysql_fetch_row($hResult)) + while(list($iId, $sName) = mysql_fetch_row($hResult)) { - if ($name == "NONAME") + if ($sName == "NONAME") continue; - if($id == $cvalue) - echo "