diff options
| author | Paul S. Owen <psotfx@users.sourceforge.net> | 2003-01-07 14:45:12 +0000 |
|---|---|---|
| committer | Paul S. Owen <psotfx@users.sourceforge.net> | 2003-01-07 14:45:12 +0000 |
| commit | 493a689b1eddc2d8db2078e487596322ce86dfc2 (patch) | |
| tree | 41b79f385ee8c6c5746abb90d6970e37f512417b /phpBB/posting.php | |
| parent | d2e324fe0bfd7ee20609453c873516682b914959 (diff) | |
| download | forums-493a689b1eddc2d8db2078e487596322ce86dfc2.tar forums-493a689b1eddc2d8db2078e487596322ce86dfc2.tar.gz forums-493a689b1eddc2d8db2078e487596322ce86dfc2.tar.bz2 forums-493a689b1eddc2d8db2078e487596322ce86dfc2.tar.xz forums-493a689b1eddc2d8db2078e487596322ce86dfc2.zip | |
We'll try and get it right this time ...
git-svn-id: file:///svn/phpbb/trunk@3265 89ea8834-ac86-4346-8a33-228a782c2dd0
Diffstat (limited to 'phpBB/posting.php')
| -rw-r--r-- | phpBB/posting.php | 18 |
1 files changed, 9 insertions, 9 deletions
diff --git a/phpBB/posting.php b/phpBB/posting.php index a80f00c69d..2ae22c224c 100644 --- a/phpBB/posting.php +++ b/phpBB/posting.php @@ -312,7 +312,7 @@ if (isset($post)) { $topic_sql = array( 'forum_id' => intval($forum_id), - 'topic_title' => $subject, + 'topic_title' => $db->sql_escape(htmlspecialchars($subject)), 'topic_poster' => intval($user->data['user_id']), 'topic_time' => $current_time, 'topic_type' => (!empty($enable_icons)) ? intval($topic_type) : 0, @@ -322,7 +322,7 @@ if (isset($post)) if (!empty($poll_options)) { $topic_sql = array_merge($topic_sql, array( - 'poll_title' => $poll_title, + 'poll_title' => $db->sql_escape($poll_title), 'poll_start' => (!empty($poll_start)) ? $poll_start : $current_time, 'poll_length' => $poll_length * 3600 )); @@ -338,7 +338,7 @@ if (isset($post)) 'topic_id' => intval($topic_id), 'forum_id' => intval($forum_id), 'poster_id' => ($mode == 'edit') ? intval($poster_id) : intval($user->data['user_id']), - 'post_username' => ($username != '') ? $username : '', + 'post_username' => ($username != '') ? $db->sql_escape($username) : '', 'poster_ip' => $user->ip, 'post_time' => $current_time, 'post_approved' => (!empty($enable_moderate) && !$auth->acl_gets('f_ignorequeue', 'm_', 'a_', intval($forum_id))) ? 0 : 1, @@ -356,7 +356,7 @@ if (isset($post)) // post_text ... may merge into posts table $post_text_sql = array( - 'post_subject' => $db->sql_quote(htmlspecialchars($subject)), + 'post_subject' => $db->sql_escape(htmlspecialchars($subject)), 'bbcode_uid' => $bbcode_uid, 'post_id' => intval($post_id), ); @@ -364,10 +364,10 @@ if (isset($post)) { $post_text_sql = array_merge($post_text_sql, array( 'post_checksum' => $message_md5, - 'post_text' => $db->sql_quote($message), + 'post_text' => $db->sql_escape($message), )); } - echo $sql = ($mode == 'edit') ? 'UPDATE ' . POSTS_TEXT_TABLE . ' SET ' . $db->sql_build_array('UPDATE', $post_text_sql) . ' WHERE post_id = ' . intval($post_id) : 'INSERT INTO ' . POSTS_TEXT_TABLE . ' ' . $db->sql_build_array('INSERT', $post_text_sql); + $sql = ($mode == 'edit') ? 'UPDATE ' . POSTS_TEXT_TABLE . ' SET ' . $db->sql_build_array('UPDATE', $post_text_sql) . ' WHERE post_id = ' . intval($post_id) : 'INSERT INTO ' . POSTS_TEXT_TABLE . ' ' . $db->sql_build_array('INSERT', $post_text_sql); $db->sql_query($sql); // poll options @@ -392,13 +392,13 @@ if (isset($post)) if (empty($cur_poll_options[$i])) { $sql = "INSERT INTO phpbb_poll_results (topic_id, poll_option_text) - VALUES (" . intval($topic_id) . ", '" . sql_quote($poll_options[$i]) . "')"; + VALUES (" . intval($topic_id) . ", '" . $db->sql_escape($poll_options[$i]) . "')"; $db->sql_query($sql); } else if ($poll_options[$i] != $cur_poll_options[$i]) { $sql = "UPDATE phpbb_poll_results - SET poll_option_text = '" . sql_quote($poll_options[$i]) . "' + SET poll_option_text = '" . $db->sql_escape($poll_options[$i]) . "' WHERE poll_option_id = " . $cur_poll_options[$i]['poll_option_id']; $db->sql_query($sql); } @@ -431,7 +431,7 @@ if (isset($post)) 'forum_last_post_id' => intval($post_id), 'forum_last_post_time' => $current_time, 'forum_last_poster_id' => intval($user->data['user_id']), - 'forum_last_poster_name'=> ($user->data['user_id'] == ANONYMOUS) ? $username : $user->data['username'], + 'forum_last_poster_name'=> ($user->data['user_id'] == ANONYMOUS) ? $db->sql_escape($username) : $user->data['username'], ); $sql = 'UPDATE ' . FORUMS_TABLE . ' SET ' . $db->sql_build_array('UPDATE', $forum_sql) . ', forum_posts = forum_posts + 1' . $forum_topics_sql . ' WHERE forum_id IN (' . $forum_ids . ')'; $db->sql_query($sql); |