claunia/qemudb
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix TableVE::make_option_list's where handling to prevent sql injection

Browse Source
This commit is contained in:
Alexander Nicolaysen Sørnes
2007-04-24 23:36:10 +00:00
committed by WineHQ
parent d6bf700f00
commit 74425f0b5a
1 changed files with 15 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
include/tableve.php
View File

@@ -171,23 +171,29 @@ class TableVE {
echo html_frame_end(); echo html_frame_end();
} }
function make_option_list($varname, $cvalue, $table, $idField, $nameField, $where = "") function make_option_list($sVarname, $sCvalue, $sTable, $sIdField, $sNameField, $aWhere = null)
{ {
$hResult = query_parameters("SELECT ?, ? FROM ? ? ORDER BY '?'", /* We do not allow direct insertion into of SQL code, so the WHERE clause is
$idField, $nameField, $table, $where, $nameField); is accepted in an array form, where the first element is the variable
and the second is the value it must be equal to */
if($aWhere)
$sWhere = "WHERE ".$aWhere[0]." ='".$aWhere[1]."'";
$hResult = query_parameters("SELECT ?, ? FROM ? $sWhere ORDER BY '?'",
$sIdField, $sNameField, $sTable, $sNameField);
if(!$hResult) if(!$hResult)
return; // Oops return; // Oops
echo "<select name='$varname'>\n"; echo "<select name='$sVarname'>\n";
echo "<option value=0>Choose ...</option>\n"; echo "<option value=0>Choose ...</option>\n";
while(list($id, $name) = mysql_fetch_row($hResult)) while(list($iId, $sName) = mysql_fetch_row($hResult))
{ {
if ($name == "NONAME") if ($sName == "NONAME")
continue; continue;
if($id == $cvalue) if($iId == $sCvalue)
echo "<option value=$id selected>$name\n"; echo "<option value=$iId selected>$sName\n";
else else
echo "<option value=$id>$name\n"; echo "<option value=$iId>$sName\n";
} }
echo "</select>\n"; echo "</select>\n";
} }