Protect against sql injection attacks in sql INSERT statements

2006-06-24 04:20:32 +00:00
parent c31173ef9e
commit fb0f3b5dd3
20 changed files with 208 additions and 180 deletions
--- a/include/vote.php
+++ b/include/vote.php
@@ -66,7 +66,9 @@ function vote_add($appId, $slot, $userId = null)
        return;
    
    vote_remove($slot, $userId);
-    query_appdb("INSERT INTO appVotes VALUES (null, null, $appId, $userId, $slot)");
+
+    query_parameters("INSERT INTO appVotes (id, time, appId, userId, slot)
+                      VALUES (?, ?, '?', '?', '?')", "null", "null", $appId, $userId, $slot);
 }