claunia/qemudb
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Use query_parameters() in SQL select, update and delete statements to protect against

Browse Source 
sql injection attacks
This commit is contained in:
Chris Morgan
2006-06-27 19:16:27 +00:00
committed by WineHQ
parent e6458694f4
commit e3f9e5371a
46 changed files with 602 additions and 484 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
include/appdb.php
View File

@@ -4,11 +4,13 @@ function log_category_visit($catId)
{
global $REMOTE_ADDR;
$result = query_appdb("SELECT * FROM catHitStats WHERE ip = '$REMOTE_ADDR' AND catId = $catId");
$result = query_parameters("SELECT * FROM catHitStats WHERE ip = '?' AND catId = '?'",
$REMOTE_ADDR, $catId);
if($result && mysql_num_rows($result) == 1)
{
$stats = mysql_fetch_object($result);
query_appdb("UPDATE catHitStats SET count = count + 1 WHERE catHitId = $stats->catHitId");
query_parameters("UPDATE catHitStats SET count = count + 1 WHERE catHitId = '?'",
$stats->catHitId);
} else
{
query_parameters("INSERT INTO catHitStats (appHitId, time, ip, catId, count) ".
@@ -21,11 +23,13 @@ function log_application_visit($appId)
{
global $REMOTE_ADDR;
$result = query_appdb("SELECT * FROM appHitStats WHERE ip = '$REMOTE_ADDR' AND appId = $appId");
$result = query_parameters("SELECT * FROM appHitStats WHERE ip = '?' AND appId = '?'",
$REMOTE_ADDR, $appId);
if($result && mysql_num_rows($result) == 1)
{
$stats = mysql_fetch_object($result);
query_appdb("UPDATE appHitStats SET count = count + 1 WHERE appHitId = $stats->appHitId");
query_parameters("UPDATE appHitStats SET count = count + 1 WHERE appHitId = '?'",
$stats->appHitId);
} else
{
query_parameters("INSERT INTO appHitStats (appHitId, time, ip, appId, count) ".