projects
/
mailer.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
ddba3ed
)
Unnessarry addslashes() and SQL_ESCAPE() removed, some added, some bigintval() added
author
Roland Häder
<roland@mxchange.org>
Mon, 13 Oct 2008 17:51:03 +0000
(17:51 +0000)
committer
Roland Häder
<roland@mxchange.org>
Mon, 13 Oct 2008 17:51:03 +0000
(17:51 +0000)
16 files changed:
inc/databases.php
patch
|
blob
|
history
inc/modules/admin/what-admin_add.php
patch
|
blob
|
history
inc/modules/admin/what-adminedit.php
patch
|
blob
|
history
inc/modules/admin/what-config_cats.php
patch
|
blob
|
history
inc/modules/admin/what-edit_emails.php
patch
|
blob
|
history
inc/modules/admin/what-sub_points.php
patch
|
blob
|
history
inc/modules/guest/what-login.php
patch
|
blob
|
history
inc/modules/guest/what-register.php
patch
|
blob
|
history
inc/modules/member/what-holiday.php
patch
|
blob
|
history
inc/modules/member/what-mydata.php
patch
|
blob
|
history
inc/modules/member/what-newsletter.php
patch
|
blob
|
history
inc/modules/member/what-order.php
patch
|
blob
|
history
inc/modules/member/what-payout.php
patch
|
blob
|
history
inc/modules/member/what-support.php
patch
|
blob
|
history
inc/modules/member/what-transfer.php
patch
|
blob
|
history
inc/mysql-manager.php
patch
|
blob
|
history
diff --git
a/inc/databases.php
b/inc/databases.php
index 4ed7bc1b29804ca2c9f3e6ce5729dc8000949886..bd32483af66c354f0e00b6fcb61fef2e98eb908f 100644
(file)
--- a/
inc/databases.php
+++ b/
inc/databases.php
@@
-113,7
+113,7
@@
define('USAGE_BASE', "usage");
define('SERVER_URL', "http://www.mxchange.org");
// This current patch level
define('SERVER_URL', "http://www.mxchange.org");
// This current patch level
-define('CURR_SVN_REVISION', "51
3
");
+define('CURR_SVN_REVISION', "51
4
");
// Take a prime number which is long (if you know a longer one please try it out!)
define('_PRIME', 591623);
// Take a prime number which is long (if you know a longer one please try it out!)
define('_PRIME', 591623);
diff --git
a/inc/modules/admin/what-admin_add.php
b/inc/modules/admin/what-admin_add.php
index ca79dcea05f50333fed4c835b6034c619caf14b3..483a4b15e82478a9d189b0e970afcc0cafa31845 100644
(file)
--- a/
inc/modules/admin/what-admin_add.php
+++ b/
inc/modules/admin/what-admin_add.php
@@
-175,7
+175,7
@@
if (!isset($_POST['ok']))
$_POST['menu'],
$_POST['name'],
$_POST['title'],
$_POST['menu'],
$_POST['name'],
$_POST['title'],
-
addslashes($_POST['descr'])
,
+
$_POST['descr']
,
bigintval($_POST['sort']),
), __FILE__, __LINE__
);
bigintval($_POST['sort']),
), __FILE__, __LINE__
);
@@
-188,7
+188,7
@@
if (!isset($_POST['ok']))
array(
$_POST['name'],
$_POST['title'],
array(
$_POST['name'],
$_POST['title'],
-
addslashes($_POST['descr'])
,
+
$_POST['descr']
,
bigintval($_POST['sort']),
), __FILE__, __LINE__
);
bigintval($_POST['sort']),
), __FILE__, __LINE__
);
diff --git
a/inc/modules/admin/what-adminedit.php
b/inc/modules/admin/what-adminedit.php
index f30250d1d5db7699ce50169397b63af76f72605f..aadbd0c3db07e6cca43f044d6361f7463a849ebd 100644
(file)
--- a/
inc/modules/admin/what-adminedit.php
+++ b/
inc/modules/admin/what-adminedit.php
@@
-169,7
+169,7
@@
WHERE ".$AND." AND id=%s LIMIT 1",
$menu,
$_POST['sel_action'][$sel],
$_POST['sel_what'][$sel],
$menu,
$_POST['sel_action'][$sel],
$_POST['sel_what'][$sel],
-
addslashes($_POST['sel_desc'][$sel])
,
+
$_POST['sel_desc'][$sel]
,
$sel,
), __FILE__, __LINE__);
}
$sel,
), __FILE__, __LINE__);
}
diff --git
a/inc/modules/admin/what-config_cats.php
b/inc/modules/admin/what-config_cats.php
index 38e40127d28d0ca42d9c7ffd1b1b4ffc4f179a12..fd795ff259337216bd159d5e487a3f98cf31aecf 100644
(file)
--- a/
inc/modules/admin/what-config_cats.php
+++ b/
inc/modules/admin/what-config_cats.php
@@
-47,11
+47,11
@@
$CATS = "";
if (isset($_POST['add'])) {
// Add a new category
$result = SQL_QUERY_ESC("SELECT id FROM "._MYSQL_PREFIX."_cats WHERE cat='%s' LIMIT 1",
if (isset($_POST['add'])) {
// Add a new category
$result = SQL_QUERY_ESC("SELECT id FROM "._MYSQL_PREFIX."_cats WHERE cat='%s' LIMIT 1",
-
array(addslashes($_POST['catname'])
), __FILE__, __LINE__);
+
array($_POST['catname']
), __FILE__, __LINE__);
if (SQL_NUMROWS($result) == 0) {
// Category does not exists, we simply add it...
$result = SQL_QUERY_ESC("INSERT INTO "._MYSQL_PREFIX."_cats (cat, visible, sort) VALUES ('%s','%s','%s')",
if (SQL_NUMROWS($result) == 0) {
// Category does not exists, we simply add it...
$result = SQL_QUERY_ESC("INSERT INTO "._MYSQL_PREFIX."_cats (cat, visible, sort) VALUES ('%s','%s','%s')",
-
array(addslashes($_POST['catname'])
, $_POST['visible'], bigintval($_POST['parent'] + 1)), __FILE__, __LINE__);
+
array($_POST['catname']
, $_POST['visible'], bigintval($_POST['parent'] + 1)), __FILE__, __LINE__);
$content = "<SPAN class=\"admin_done\">".CATEGORY_ADDED."</SPAN>";
} else {
// Category does already exists
$content = "<SPAN class=\"admin_done\">".CATEGORY_ADDED."</SPAN>";
} else {
// Category does already exists
diff --git
a/inc/modules/admin/what-edit_emails.php
b/inc/modules/admin/what-edit_emails.php
index 907ceb22533a9ba3f78b8fea58de5b6e0b4e0fda..d073ed9011f4ca0ccf63964ebe40045340efe1e9 100644
(file)
--- a/
inc/modules/admin/what-edit_emails.php
+++ b/
inc/modules/admin/what-edit_emails.php
@@
-73,9
+73,9
@@
text='%s',
url='%s'
WHERE id=%s LIMIT 1",
array(
url='%s'
WHERE id=%s LIMIT 1",
array(
-
addslashes($_POST['subj'])
,
-
addslashes($_POST['text'])
,
-
addslashes($_POST['url'])
,
+
$_POST['subj']
,
+
$_POST['text']
,
+
$_POST['url']
,
bigintval($_POST['id']),
), __FILE__, __LINE__);
if (SQL_AFFECTEDROWS() == 1)
bigintval($_POST['id']),
), __FILE__, __LINE__);
if (SQL_AFFECTEDROWS() == 1)
diff --git
a/inc/modules/admin/what-sub_points.php
b/inc/modules/admin/what-sub_points.php
index 6ac305396f32c467db5fe2f63911d4e2ef034bfe..d962bc943c2cb7d108408d5b20aba45b6663877a 100644
(file)
--- a/
inc/modules/admin/what-sub_points.php
+++ b/
inc/modules/admin/what-sub_points.php
@@
-68,7
+68,7
@@
if ($_GET['u_id'] == "all")
// Prepare content
$content = array(
// Prepare content
$content = array(
- 'text' => SQL_ESCAPE($_POST['reason']),
+ 'text'
=> SQL_ESCAPE($_POST['reason']),
'points' => bigintval($_POST['points'])
);
'points' => bigintval($_POST['points'])
);
@@
-108,7
+108,7
@@
if ($_GET['u_id'] == "all")
// Prepare content
$content = array(
// Prepare content
$content = array(
- 'text' => SQL_ESCAPE($_POST['reason']),
+ 'text'
=> SQL_ESCAPE($_POST['reason']),
'points' => bigintval($_POST['points'])
);
'points' => bigintval($_POST['points'])
);
diff --git
a/inc/modules/guest/what-login.php
b/inc/modules/guest/what-login.php
index 76312e88df808e37719fa1447263e21c253b5084..efaf745c31b68e4e2eec7f094356e73609993f2e 100644
(file)
--- a/
inc/modules/guest/what-login.php
+++ b/
inc/modules/guest/what-login.php
@@
-239,11
+239,11
@@
if (IS_MEMBER()) {
if ($probe_nickname) {
// Nickname entered
$result = SQL_QUERY_ESC("SELECT userid, status FROM "._MYSQL_PREFIX."_user_data WHERE nickname='%s' OR email='%s' LIMIT 1",
if ($probe_nickname) {
// Nickname entered
$result = SQL_QUERY_ESC("SELECT userid, status FROM "._MYSQL_PREFIX."_user_data WHERE nickname='%s' OR email='%s' LIMIT 1",
-
array(addslashes($uid)
, $_POST['email']), __FILE__, __LINE__);
+
array($uid
, $_POST['email']), __FILE__, __LINE__);
} else {
// Direct userid entered
$result = SQL_QUERY_ESC("SELECT userid, status FROM "._MYSQL_PREFIX."_user_data WHERE userid=%s OR email='%s' LIMIT 1",
} else {
// Direct userid entered
$result = SQL_QUERY_ESC("SELECT userid, status FROM "._MYSQL_PREFIX."_user_data WHERE userid=%s OR email='%s' LIMIT 1",
-
array($uid
, $_POST['email']), __FILE__, __LINE__);
+
array(bigintval($uid)
, $_POST['email']), __FILE__, __LINE__);
}
// Any entry found?
}
// Any entry found?
diff --git
a/inc/modules/guest/what-register.php
b/inc/modules/guest/what-register.php
index cec98b6c1d7aaadb2468aa64a3803c02afaf593c..e4fa749c486ce10080e71e514302bd096bbf501b 100644
(file)
--- a/
inc/modules/guest/what-register.php
+++ b/
inc/modules/guest/what-register.php
@@
-221,7
+221,7
@@
if ((isset($_POST['ok'])) && (!$FAILED))
} else {
// Old way with enterable two-char-code
$countryRow = "country";
} else {
// Old way with enterable two-char-code
$countryRow = "country";
- $countryData =
addslashes(substr($_POST['cntry'], 0, 2)
);
+ $countryData =
substr($_POST['cntry'], 0, 2
);
}
//////////////////////////////
}
//////////////////////////////
@@
-232,14
+232,14
@@
if ((isset($_POST['ok'])) && (!$FAILED))
VALUES ('%s','%s','%s','%s','%s',%s,'%s','%s',%s, %s,%s,'%s',%s, %s,'%s','UNCONFIRMED','%s','%s', UNIX_TIMESTAMP(), UNIX_TIMESTAMP()".$ADD2.")",
array(
$countryRow,
VALUES ('%s','%s','%s','%s','%s',%s,'%s','%s',%s, %s,%s,'%s',%s, %s,'%s','UNCONFIRMED','%s','%s', UNIX_TIMESTAMP(), UNIX_TIMESTAMP()".$ADD2.")",
array(
$countryRow,
-
SQL_ESCAPE(substr($_POST['gender'], 0, 1)
),
-
SQL_ESCAPE($_POST['surname'])
,
-
SQL_ESCAPE($_POST['family_name'])
,
-
SQL_ESCAPE($_POST['street_nr'])
,
+
substr($_POST['gender'], 0, 1
),
+
$_POST['surname']
,
+
$_POST['family_name']
,
+
$_POST['street_nr']
,
$countryData,
bigintval($_POST['zip']),
$countryData,
bigintval($_POST['zip']),
-
SQL_ESCAPE($_POST['city'])
,
-
SQL_ESCAPE($_POST['addy'])
,
+
$_POST['city']
,
+
$_POST['addy']
,
bigintval($_POST['day']),
bigintval($_POST['month']),
bigintval($_POST['year']),
bigintval($_POST['day']),
bigintval($_POST['month']),
bigintval($_POST['year']),
diff --git
a/inc/modules/member/what-holiday.php
b/inc/modules/member/what-holiday.php
index 11da0f70aac02ad2e1b61f10c7b35792a9785eb5..0a840a1882396fc57e95b2d34ff949bca0cecab4 100644
(file)
--- a/
inc/modules/member/what-holiday.php
+++ b/
inc/modules/member/what-holiday.php
@@
-130,7
+130,7
@@
WHERE userid=%s LIMIT 1",
// Create task
$result = SQL_QUERY_ESC("INSERT INTO "._MYSQL_PREFIX."_task_system (userid, assigned_admin, status, task_type, subject, text, task_created) VALUES ('%s','0','NEW','HOLIDAY_REQUEST','%s','%s', UNIX_TIMESTAMP())",
// Create task
$result = SQL_QUERY_ESC("INSERT INTO "._MYSQL_PREFIX."_task_system (userid, assigned_admin, status, task_type, subject, text, task_created) VALUES ('%s','0','NEW','HOLIDAY_REQUEST','%s','%s', UNIX_TIMESTAMP())",
- array($GLOBALS['userid'], HOLIDAY_ADMIN_SUBJECT,
addslashes($msg)
), __FILE__, __LINE__);
+ array($GLOBALS['userid'], HOLIDAY_ADMIN_SUBJECT,
$msg
), __FILE__, __LINE__);
// Display message
LOAD_TEMPLATE("admin_settings_saved", false, HOLIDAY_IS_ACTIVATED_NOW);
// Display message
LOAD_TEMPLATE("admin_settings_saved", false, HOLIDAY_IS_ACTIVATED_NOW);
diff --git
a/inc/modules/member/what-mydata.php
b/inc/modules/member/what-mydata.php
index 37015ef26a2e695cd7923a0a8cba3a40dacb97a9..848b54f136ea8cc18b47d8bb6f7bf014ba6fe39f 100644
(file)
--- a/
inc/modules/member/what-mydata.php
+++ b/
inc/modules/member/what-mydata.php
@@
-201,25
+201,15
@@
case "save": // Save entered data
$DATA[3] = $DATA[2] + $_CONFIG['profile_lock'];
// How far is last change on his profile away from now?
$DATA[3] = $DATA[2] + $_CONFIG['profile_lock'];
// How far is last change on his profile away from now?
- if (($DATA[3] > time()) && (!IS_ADMIN()) && ($_CONFIG['profile_lock'] > 0))
- {
+ if (($DATA[3] > time()) && (!IS_ADMIN()) && ($_CONFIG['profile_lock'] > 0)) {
$DATA[3] = MAKE_DATETIME($DATA[3] + $_CONFIG['profile_lock'], "0");
// You cannot change your account
LOAD_TEMPLATE("member_mydata_locked");
$DATA[3] = MAKE_DATETIME($DATA[3] + $_CONFIG['profile_lock'], "0");
// You cannot change your account
LOAD_TEMPLATE("member_mydata_locked");
- }
- elseif (!VALIDATE_EMAIL($_POST['addy']))
- {
+ } elseif (!VALIDATE_EMAIL($_POST['addy'])) {
// Invalid email address!
LOAD_TEMPLATE("admin_settings_saved", false, INVALID_EMAIL_ADDRESS_ENTERED);
// Invalid email address!
LOAD_TEMPLATE("admin_settings_saved", false, INVALID_EMAIL_ADDRESS_ENTERED);
- }
- else
- {
- // Secure every submitted variable
- foreach ($_POST as $key => $value)
- {
- $_POST[$key] = addslashes($value);
- }
-
+ } else {
+ // Generate hash
$hash = generateHash($_POST['pass1'], substr($DATA[1], 0, -40));
if ((($hash == $DATA[1]) || ($_POST['pass1'] == $_POST['pass2'])) && (!empty($_POST['pass1'])))
{
$hash = generateHash($_POST['pass1'], substr($DATA[1], 0, -40));
if ((($hash == $DATA[1]) || ($_POST['pass1'] == $_POST['pass2'])) && (!empty($_POST['pass1'])))
{
diff --git
a/inc/modules/member/what-newsletter.php
b/inc/modules/member/what-newsletter.php
index a427d96a2fb8c7d15d3ff3207913223eb50fc0c2..e6d343d55d6edae93d161ff9d6dc7f39d16f968e 100644
(file)
--- a/
inc/modules/member/what-newsletter.php
+++ b/
inc/modules/member/what-newsletter.php
@@
-65,7
+65,7
@@
if ((isset($_POST['ok'])) && ($status == "Y") && ($span == "0"))
// Add task
$result = SQL_QUERY_ESC("INSERT INTO "._MYSQL_PREFIX."_task_system (assigned_admin, status, task_type, subject, text, task_created, userid)
// Add task
$result = SQL_QUERY_ESC("INSERT INTO "._MYSQL_PREFIX."_task_system (assigned_admin, status, task_type, subject, text, task_created, userid)
-VALUES ('0','NEW','NL_UNSUBSCRIBE','".ADMIN_NL_SUBJECT."','".
addslashes($admin_msg)
."', UNIX_TIMESTAMP(),'%s')", array($GLOBALS['userid']), __FILE__, __LINE__);
+VALUES ('0','NEW','NL_UNSUBSCRIBE','".ADMIN_NL_SUBJECT."','".
$admin_msg
."', UNIX_TIMESTAMP(),'%s')", array($GLOBALS['userid']), __FILE__, __LINE__);
// Send mail to member
$msg = LOAD_EMAIL_TEMPLATE("member_newsletter_request", array(), $GLOBALS['userid']);
// Send mail to member
$msg = LOAD_EMAIL_TEMPLATE("member_newsletter_request", array(), $GLOBALS['userid']);
diff --git
a/inc/modules/member/what-order.php
b/inc/modules/member/what-order.php
index 5f5422dc5eb1d9092658829e54310a1ba4880edc..a41eb096a08a768861ae9f2a05b1197c3245fac8 100644
(file)
--- a/
inc/modules/member/what-order.php
+++ b/
inc/modules/member/what-order.php
@@
-55,13
+55,6
@@
if (empty($_POST['html'])) $_POST['html'] = "";
if (empty($_POST['receiver'])) $_POST['receiver'] = "";
if (IS_ADMIN()) $whereStatement = "";
if (empty($_POST['receiver'])) $_POST['receiver'] = "";
if (IS_ADMIN()) $whereStatement = "";
-// Add slashes to every value
-foreach($_POST as $key => $value)
-{
- // Skip submit buttons
- if (($key != "data") && ($key != "frametester")) $_POST[$key] = addslashes($value);
-}
-
// Minimum mails / order
define('__MIN_VALUE', $_CONFIG['order_min']);
// Minimum mails / order
define('__MIN_VALUE', $_CONFIG['order_min']);
@@
-138,7
+131,7
@@
WHERE sender=%s AND url='%s' AND timestamp > (UNIX_TIMESTAMP() - %s) LIMIT 1",
// URL found!
$URL = URL."/modules.php?module=login&what=order&msg=".CODE_URL_FOUND;
}
// URL found!
$URL = URL."/modules.php?module=login&what=order&msg=".CODE_URL_FOUND;
}
- $TEST = str_replace("\n", "", str_replace("\r", "",
addslashes($_POST['text'])
));
+ $TEST = str_replace("\n", "", str_replace("\r", "",
$_POST['text']
));
if (strlen($TEST) > $_CONFIG['max_tlength'])
{
// Text is too long!
if (strlen($TEST) > $_CONFIG['max_tlength'])
{
// Text is too long!
@@
-297,8
+290,8
@@
WHERE userid=%s AND holiday_start < UNIX_TIMESTAMP() AND holiday_end > UNIX_TIME
VALUES ('%s','%s','%s','%s','%s','TEMP','%s','%s','%s','%s','%s','%s')",
array(
$GLOBALS['userid'],
VALUES ('%s','%s','%s','%s','%s','TEMP','%s','%s','%s','%s','%s','%s')",
array(
$GLOBALS['userid'],
-
addslashes($_POST['subject'])
,
-
addslashes($_POST['text'])
,
+
$_POST['subject']
,
+
$_POST['text']
,
$RECEIVER,
bigintval($_POST['type']),
$TIME,
$RECEIVER,
bigintval($_POST['type']),
$TIME,
@@
-316,8
+309,8
@@
array(
VALUES ('%s','%s','%s','%s','%s','TEMP','%s','%s','%s','%s','%s')",
array(
$GLOBALS['userid'],
VALUES ('%s','%s','%s','%s','%s','TEMP','%s','%s','%s','%s','%s')",
array(
$GLOBALS['userid'],
-
addslashes($_POST['subject'])
,
-
addslashes($_POST['text'])
,
+
$_POST['subject']
,
+
$_POST['text']
,
$RECEIVER,
bigintval($_POST['type']),
$TIME,
$RECEIVER,
bigintval($_POST['type']),
$TIME,
diff --git
a/inc/modules/member/what-payout.php
b/inc/modules/member/what-payout.php
index a62131dcc2a47d16fc646d45b9e416e8d3265487..9b9f607cfc1b827a4d623ae8439336f1c228a6c4 100644
(file)
--- a/
inc/modules/member/what-payout.php
+++ b/
inc/modules/member/what-payout.php
@@
-217,7
+217,7
@@
VALUES (%s,%s,%s, UNIX_TIMESTAMP(), 'NEW','%s','%s','%s')",
}
else
{
}
else
{
- $msg_adm =
addslashes(LOAD_EMAIL_TEMPLATE("admin_payout_request_banner", array(), $GLOBALS['userid'])
);
+ $msg_adm =
LOAD_EMAIL_TEMPLATE("admin_payout_request_banner", array(), $GLOBALS['userid']
);
}
}
else
}
}
else
@@
-236,7
+236,7
@@
VALUES (%s,%s,%s,'%s',%s, UNIX_TIMESTAMP(), 'NEW','%s')",
// Load templates
$msg_mem = LOAD_EMAIL_TEMPLATE("member_payout_request", array(), $GLOBALS['userid']);
// Load templates
$msg_mem = LOAD_EMAIL_TEMPLATE("member_payout_request", array(), $GLOBALS['userid']);
- $msg_adm =
addslashes(LOAD_EMAIL_TEMPLATE("admin_payout_request", array(), $GLOBALS['userid'])
);
+ $msg_adm =
LOAD_EMAIL_TEMPLATE("admin_payout_request", array(), $GLOBALS['userid']
);
$admin_tpl = "";
if (GET_EXT_VERSION("admins") >= "0.4.1")
{
$admin_tpl = "";
if (GET_EXT_VERSION("admins") >= "0.4.1")
{
diff --git
a/inc/modules/member/what-support.php
b/inc/modules/member/what-support.php
index 9d8b8fa23c25cfc0f4f869ca564ffcbf7fa88459..4dd06145e19faa8f2154b5a0dbec52516859bb16 100644
(file)
--- a/
inc/modules/member/what-support.php
+++ b/
inc/modules/member/what-support.php
@@
-76,7
+76,7
@@
if ((!isset($_POST['ok'])) || (empty($_POST['qsummary'])))
// Drop a message in the admin's area
$result = SQL_QUERY_ESC("INSERT INTO "._MYSQL_PREFIX."_task_system (userid, assigned_admin, status, task_type, subject, text, task_created) VALUES ('%s','0','NEW','SUPPORT_MEMBER','%s','%s', UNIX_TIMESTAMP())",
// Drop a message in the admin's area
$result = SQL_QUERY_ESC("INSERT INTO "._MYSQL_PREFIX."_task_system (userid, assigned_admin, status, task_type, subject, text, task_created) VALUES ('%s','0','NEW','SUPPORT_MEMBER','%s','%s', UNIX_TIMESTAMP())",
-
array($GLOBALS['userid'], addslashes($subj_a), addslashes($_POST['qsummary'].":".$_POST['qdetails'])
), __FILE__, __LINE__);
+
array($GLOBALS['userid'], $subj_a, $_POST['qsummary'].":".$_POST['qdetails']
), __FILE__, __LINE__);
// Form sent
LOAD_TEMPLATE("member_support_contcted");
// Form sent
LOAD_TEMPLATE("member_support_contcted");
diff --git
a/inc/modules/member/what-transfer.php
b/inc/modules/member/what-transfer.php
index 0a108622de869f7075540e24e8504ec657d1f407..c7130ff3deb2a2add9122177e6be739aa046b70a 100644
(file)
--- a/
inc/modules/member/what-transfer.php
+++ b/
inc/modules/member/what-transfer.php
@@
-185,11
+185,11
@@
case "new": // Start new transfer
// Add entries to both tables
$result = SQL_QUERY_ESC("INSERT INTO "._MYSQL_PREFIX."_user_transfers_in (userid, from_uid, points, reason, time_trans, trans_id) VALUES ('%s','%s','%s','%s', UNIX_TIMESTAMP(),'%s')",
// Add entries to both tables
$result = SQL_QUERY_ESC("INSERT INTO "._MYSQL_PREFIX."_user_transfers_in (userid, from_uid, points, reason, time_trans, trans_id) VALUES ('%s','%s','%s','%s', UNIX_TIMESTAMP(),'%s')",
-
array(bigintval($_POST['to_uid']), $GLOBALS['userid'], bigintval($_POST['points']), addslashes($_POST['reason'])
, __TRANS_ID),
- __FILE__, __LINE__);
+
array(bigintval($_POST['to_uid']), $GLOBALS['userid'], bigintval($_POST['points']), $_POST['reason']
, __TRANS_ID),
+
__FILE__, __LINE__);
$result = SQL_QUERY_ESC("INSERT INTO "._MYSQL_PREFIX."_user_transfers_out (userid, to_uid, points, reason, time_trans, trans_id) VALUES ('%s','%s','%s','%s', UNIX_TIMESTAMP(),'%s')",
$result = SQL_QUERY_ESC("INSERT INTO "._MYSQL_PREFIX."_user_transfers_out (userid, to_uid, points, reason, time_trans, trans_id) VALUES ('%s','%s','%s','%s', UNIX_TIMESTAMP(),'%s')",
-
array($GLOBALS['userid'], bigintval($_POST['to_uid']), bigintval($_POST['points']), addslashes($_POST['reason'])
, __TRANS_ID),
- __FILE__, __LINE__);
+
array($GLOBALS['userid'], bigintval($_POST['to_uid']), bigintval($_POST['points']), $_POST['reason']
, __TRANS_ID),
+
__FILE__, __LINE__);
// Add points to account *directly* ...
ADD_POINTS_REFSYSTEM(bigintval($_POST['to_uid']), bigintval($_POST['points']), false, "0", false, "direct");
// Add points to account *directly* ...
ADD_POINTS_REFSYSTEM(bigintval($_POST['to_uid']), bigintval($_POST['points']), false, "0", false, "direct");
diff --git
a/inc/mysql-manager.php
b/inc/mysql-manager.php
index 1def31192837709bc8214be54562fc4295a8229e..036e85393975441e53de6b724a3edf14a420736a 100644
(file)
--- a/
inc/mysql-manager.php
+++ b/
inc/mysql-manager.php
@@
-1917,7
+1917,7
@@
VALUES (%s,0,'NEW','EXTENSION','%s','%s',UNIX_TIMESTAMP())",
array(
$admin_id,
$subject,
array(
$admin_id,
$subject,
-
addslashes
($msg),
+
SQL_ESCAPE
($msg),
), __FILE__, __LINE__, true, false
);
} // END - if
), __FILE__, __LINE__, true, false
);
} // END - if
@@
-2057,7
+2057,7
@@
function ADD_BONUS_MAIL_TO_QUEUE ($subject, $text, $receiverList, $points, $seco
VALUES ('%s','%s','%s','%s','%s','NEW', UNIX_TIMESTAMP(),'%s','%s','%s','%s','%s')",
array(
$subject,
VALUES ('%s','%s','%s','%s','%s','NEW', UNIX_TIMESTAMP(),'%s','%s','%s','%s','%s')",
array(
$subject,
-
addslashes($text)
,
+
$text
,
$receiverList,
$points,
$seconds,
$receiverList,
$points,
$seconds,
@@
-2074,7
+2074,7
@@
VALUES ('%s','%s','%s','%s','%s','NEW', UNIX_TIMESTAMP(),'%s','%s','%s','%s','%s
VALUES ('%s','%s','%s','%s','%s','NEW', UNIX_TIMESTAMP(),'%s','%s','%s','%s')",
array(
$subject,
VALUES ('%s','%s','%s','%s','%s','NEW', UNIX_TIMESTAMP(),'%s','%s','%s','%s')",
array(
$subject,
-
addslashes($text)
,
+
$text
,
$receiverList,
$points,
$seconds,
$receiverList,
$points,
$seconds,