oqapi/webgui
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

took additional measures to prevent sql injection

Browse source
This commit is contained in:
JT Smith 2004-05-02 16:15:33 +00:00
parent 045997bc93
commit a293678acd
10 changed files with 29 additions and 32 deletions
Download patch file Download diff file Expand all files Collapse all files

6
lib/WebGUI/Wobject/MessageBoard.pm
View file

@ -150,7 +150,7 @@ sub www_deleteForumConfirm {
my $forum = WebGUI::Forum->new($session{form}{forumId});
$forum->purge;
}
WebGUI::SQL->write("delete from MessageBoard_forums where forumId=".$session{form}{forumId}." and wobjectId=".$_[0]->get("wobjectId"));
WebGUI::SQL->write("delete from MessageBoard_forums where forumId=".quote($session{form}{forumId})." and wobjectId=".$_[0]->get("wobjectId"));
return "";
}
@ -205,11 +205,11 @@ sub www_editForumSave {
my ($seq) = WebGUI::SQL->quickArray("select max(sequenceNumber) from MessageBoard_forums where wobjectId=".$_[0]->get("wobjectId"));
$seq++;
WebGUI::SQL->write("insert into MessageBoard_forums (wobjectId, forumId, title, description, sequenceNumber) values ("
.$_[0]->get("wobjectId").", ".$forumId.", ".quote($session{form}{title}).", ".quote($session{form}{description})
.$_[0]->get("wobjectId").", ".quote($forumId).", ".quote($session{form}{title}).", ".quote($session{form}{description})
.", ".$seq.")");
} else {
WebGUI::SQL->write("update MessageBoard_forums set title=".quote($session{form}{title}).", description="
.quote($session{form}{description})." where forumId=".$forumId." and wobjectId=".$_[0]->get("wobjectId"));
.quote($session{form}{description})." where forumId=".quote($forumId)." and wobjectId=".$_[0]->get("wobjectId"));
}
return "";
}