From 5048f1f2bc9dc972dfb74f404a1c9593a04ef6b5 Mon Sep 17 00:00:00 2001 From: "Paul S. Owen" Date: Tue, 7 Jan 2003 14:37:34 +0000 Subject: Various updates, inc. fixing non-escaping of ' git-svn-id: file:///svn/phpbb/trunk@3263 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/posting.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/phpBB/posting.php b/phpBB/posting.php index 0e1be3f711..a80f00c69d 100644 --- a/phpBB/posting.php +++ b/phpBB/posting.php @@ -356,7 +356,7 @@ if (isset($post)) // post_text ... may merge into posts table $post_text_sql = array( - 'post_subject' => htmlspecialchars($subject), + 'post_subject' => $db->sql_quote(htmlspecialchars($subject)), 'bbcode_uid' => $bbcode_uid, 'post_id' => intval($post_id), ); @@ -364,10 +364,10 @@ if (isset($post)) { $post_text_sql = array_merge($post_text_sql, array( 'post_checksum' => $message_md5, - 'post_text' => $message, + 'post_text' => $db->sql_quote($message), )); } - $sql = ($mode == 'edit') ? 'UPDATE ' . POSTS_TEXT_TABLE . ' SET ' . $db->sql_build_array('UPDATE', $post_text_sql) . ' WHERE post_id = ' . intval($post_id) : 'INSERT INTO ' . POSTS_TEXT_TABLE . ' ' . $db->sql_build_array('INSERT', $post_text_sql); + echo $sql = ($mode == 'edit') ? 'UPDATE ' . POSTS_TEXT_TABLE . ' SET ' . $db->sql_build_array('UPDATE', $post_text_sql) . ' WHERE post_id = ' . intval($post_id) : 'INSERT INTO ' . POSTS_TEXT_TABLE . ' ' . $db->sql_build_array('INSERT', $post_text_sql); $db->sql_query($sql); // poll options -- cgit v1.2.1