Protect against sql injection attacks in sql INSERT statements

2006-06-24 04:20:32 +00:00
parent c31173ef9e
commit fb0f3b5dd3
20 changed files with 208 additions and 180 deletions
--- a/admin/adminAppDataQueue.php
+++ b/admin/adminAppDataQueue.php
@@ -168,10 +168,12 @@ if (!$aClean['id'])
            $oScreenshot->unQueue();
        }
        elseif ($obj_row->type == "url")
-        { // FIXME: use Link class
-            $query = "INSERT INTO appData VALUES (null, ".$obj_row->versionId.", 'url', ".
-                     "'".$aClean['description']."', '".$obj_row->url."')";
-            if (query_appdb($sQuery))
+        {
+            $hResult = query_parameters("INSERT INTO appData (id, appId, versionId, type, ".
+                                        "description, url) VALUES (?, '?', '?', '?', '?', '?')",
+                                        "null", $obj_row->appId, $obj_row->versionId,
+                                        "url", $aClean['description'], $obj_row->url);
+            if($hResult)
            {
                $statusMessage = "<p>The application data was successfully added into the database</p>\n";

--- a/admin/editBundle.php
+++ b/admin/editBundle.php
@@ -33,7 +33,10 @@ if($_REQUEST['cmd'])
    }
    if($_REQUEST['cmd'] == "add")
    {
-        $hResult = query_appdb("INSERT INTO appBundle VALUES (".$_REQUEST['bundleId'].", ".$_REQUEST['appId'].")");
+        $hResult = query_parameters("INSERT INTO appBundle (bundleId, appId) VALUES".
+                                    "('?', '?')",
+                                    $_REQUEST['bundleId'],
+                                    $_REQUEST['appId']);
        if($hResult)
            addmsg("App $appId added to Bundle".$_REQUEST['bundleId'], "green");
    }