if (empty($_POST['receiver'])) $_POST['receiver'] = "";
if (IS_ADMIN()) $whereStatement = "";
-// Add slashes to every value
-foreach($_POST as $key => $value)
-{
- // Skip submit buttons
- if (($key != "data") && ($key != "frametester")) $_POST[$key] = addslashes($value);
-}
-
// Minimum mails / order
define('__MIN_VALUE', $_CONFIG['order_min']);
// URL found!
$URL = URL."/modules.php?module=login&what=order&msg=".CODE_URL_FOUND;
}
- $TEST = str_replace("\n", "", str_replace("\r", "", addslashes($_POST['text'])));
+ $TEST = str_replace("\n", "", str_replace("\r", "", $_POST['text']));
if (strlen($TEST) > $_CONFIG['max_tlength'])
{
// Text is too long!
{
// Check if category and number of receivers is okay
$ADD = "";
- if (($_CONFIG['order_multi_page'] == "Y") && (!empty($_POST['zip']))) $ADD = "AND d.zip LIKE '".bigintval($_POST['zip'])."{PER}'";
+ if (($_CONFIG['order_multi_page'] == "Y") && (!empty($_POST['zip']))) {
+ // Choose recipients by ZIP code
+ $ADD = " AND d.zip LIKE '".bigintval($_POST['zip'])."{PER}'";
+ } // END - if
// Check for userids
$result = SQL_QUERY_ESC("SELECT DISTINCT c.userid FROM "._MYSQL_PREFIX."_user_cats AS c
LEFT JOIN "._MYSQL_PREFIX."_user_data AS d
ON c.userid=d.userid
-WHERE c.cat_id=%s AND c.userid != '%s' AND d.status='CONFIRMED' AND d.receive_mails > 0
-".$ADD."
+WHERE c.cat_id=%s AND c.userid != '%s' AND d.status='CONFIRMED' AND d.receive_mails > 0".$ADD."
ORDER BY d.%s %s",
array(
bigintval($_POST['cat']),
VALUES ('%s','%s','%s','%s','%s','TEMP','%s','%s','%s','%s','%s','%s')",
array(
$GLOBALS['userid'],
- addslashes($_POST['subject']),
- addslashes($_POST['text']),
+ $_POST['subject'],
+ $_POST['text'],
$RECEIVER,
bigintval($_POST['type']),
$TIME,
VALUES ('%s','%s','%s','%s','%s','TEMP','%s','%s','%s','%s','%s')",
array(
$GLOBALS['userid'],
- addslashes($_POST['subject']),
- addslashes($_POST['text']),
+ $_POST['subject'],
+ $_POST['text'],
$RECEIVER,
bigintval($_POST['type']),
$TIME,