Use query_parameters() in SQL select, update and delete statements to protect against

sql injection attacks
2006-06-27 19:16:27 +00:00
parent e6458694f4
commit e3f9e5371a
46 changed files with 602 additions and 484 deletions
--- a/admin/adminBugs.php
+++ b/admin/adminBugs.php
@@ -117,16 +117,6 @@ if ($aClean['sub'])
                    AND buglinks.versionId = appVersion.versionId
                    AND buglinks.bug_id = ".BUGZILLA_DB.".bugs.bug_id";
    }
-    $sQuery = "SELECT appFamily.description as appDescription, 
-               appFamily.appName as appName, appVersion.*, 
-               buglinks.versionId as versionId, 
-               buglinks.bug_id as bug_id, 
-               buglinks.linkId as linkId, 
-               buglinks.queued as queued, 
-               bugs.* 
-               FROM appFamily, appVersion, buglinks, bugs.bugs
-               ".$sWhere."
-               ORDER BY buglinks.bug_id, appName, versionName";
    $sQuery = "SELECT appFamily.description as appDescription, 
               appFamily.appName as appName, appVersion.*, 
               buglinks.versionId as versionId, 
@@ -137,11 +127,11 @@ if ($aClean['sub'])
               FROM appFamily, appVersion, buglinks, bugs.bugs
               ".$sWhere."
               ORDER BY buglinks.bug_id, appName, versionName
-               LIMIT ".$offset.", ".$ItemsPerPage.";";
+               LIMIT ".mysql_real_escape_string($offset).", ".mysql_real_escape_string($ItemsPerPage).";";

    $c = 0;

-    if($hResult = query_appdb($sQuery))
+    if($hResult = query_parameters($sQuery))
    {
        while($oRow = mysql_fetch_object($hResult))
        {