Use query_parameters() in SQL select, update and delete statements to protect against
sql injection attacks
This commit is contained in:
Chris Morgan
WineHQ
@@ -18,8 +18,8 @@ $aClean['noteTitle'] = makeSafe($_REQUEST['noteTitle']);
|
||||
$aClean['noteDesc'] = makeSafe($_REQUEST['noteDesc']);
|
||||
|
||||
//FIXME: get rid of appId references everywhere, as version is enough.
|
||||
$sQuery = "SELECT appId FROM appVersion WHERE versionId = '".$aClean['versionId']."'";
|
||||
$hResult = query_appdb($sQuery);
|
||||
$sQuery = "SELECT appId FROM appVersion WHERE versionId = '?'";
|
||||
$hResult = query_parameters($sQuery, $aClean['versionId']);
|
||||
$oRow = mysql_fetch_object($hResult);
|
||||
$appId = $oRow->appId;
|
||||
|
||||
|
||||
Reference in New Issue
Block a user