From 0898f1447a2d6bdc893f55f4718f867734841361 Mon Sep 17 00:00:00 2001 From: elij Date: Wed, 11 May 2011 16:17:12 -0700 Subject: test return value from db_query before assuming it is valid make the sql query form consistent in usage by cleaning up instances where db_query's result was not inspected before attempting to fetch row data from the handle Signed-off-by: Lukas Fleischer --- web/html/addvote.php | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) (limited to 'web/html/addvote.php') diff --git a/web/html/addvote.php b/web/html/addvote.php index 5936d56..a459610 100644 --- a/web/html/addvote.php +++ b/web/html/addvote.php @@ -21,14 +21,26 @@ if ($atype == "Trusted User" OR $atype == "Developer") { if (!empty($_POST['user'])) { $qcheck = "SELECT * FROM Users WHERE Username = '" . mysql_real_escape_string($_POST['user']) . "'"; - $check = mysql_num_rows(db_query($qcheck, $dbh)); + $result = db_query($qcheck, $dbh); + if ($result) { + $check = mysql_num_rows($result); + } + else { + $check = 0; + } if ($check == 0) { $error.= __("Username does not exist."); } else { $qcheck = "SELECT * FROM TU_VoteInfo WHERE User = '" . mysql_real_escape_string($_POST['user']) . "'"; $qcheck.= " AND End > UNIX_TIMESTAMP()"; - $check = mysql_num_rows(db_query($qcheck, $dbh)); + $result = db_query($qcheck, $dbh); + if ($result) { + $check = mysql_num_rows($result); + } + else { + $check = 0; + } if ($check != 0) { $error.= __("%s already has proposal running for them.", htmlentities($_POST['user'])); -- cgit v1.2.3-70-g09d2