claunia/qemudb
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Use query_parameters() in SQL select, update and delete statements to protect against

Browse Source 
sql injection attacks
This commit is contained in:
Chris Morgan
2006-06-27 19:16:27 +00:00
committed by WineHQ
parent e6458694f4
commit e3f9e5371a
46 changed files with 602 additions and 484 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
admin/adminCommentView.php
View File

@@ -60,14 +60,14 @@ echo "</center>";
/* query for all of the commentId's, ordering by their time in reverse order */
$offset = (($currentPage-1) * $ItemsPerPage);
$commentIds = query_appdb("SELECT commentId from appComments ORDER BY ".
"appComments.time ASC LIMIT $offset, $ItemsPerPage;");
$commentIds = query_parameters("SELECT commentId from appComments ORDER BY ".
"appComments.time ASC LIMIT ?, ?", $offset, $ItemsPerPage);
while ($ob = mysql_fetch_object($commentIds))
{
$sQuery = "SELECT from_unixtime(unix_timestamp(time), \"%W %M %D %Y, %k:%i\") as time, ".
"commentId, parentId, versionId, userid, subject, body ".
"FROM appComments WHERE commentId = $ob->commentId;";
$hResult = query_appdb($sQuery);
"FROM appComments WHERE commentId = '?'";
$hResult = query_parameters($sQuery, $ob->commentId);
/* call view_app_comment to display the comment */
$comment_ob = mysql_fetch_object($hResult);
view_app_comment($comment_ob);