From 10b6a8fff7e6d407421c74889455b969be7f867f Mon Sep 17 00:00:00 2001 From: Lukas Fleischer Date: Thu, 20 Oct 2011 08:15:02 +0200 Subject: Wrap mysql_real_escape_string() in a function Wrap mysql_real_escape_string() in a wrapper function db_escape_string() to ease porting to other databases, and as another step to pulling more of the database code into a central location. This is a rebased version of a patch by elij submitted about half a year ago. Thanks-to: elij Signed-off-by: Lukas Fleischer Conflicts: web/lib/aur.inc.php --- web/html/addvote.php | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'web/html/addvote.php') diff --git a/web/html/addvote.php b/web/html/addvote.php index fe3037d..f0e7d31 100644 --- a/web/html/addvote.php +++ b/web/html/addvote.php @@ -20,7 +20,7 @@ if ($atype == "Trusted User" OR $atype == "Developer") { $error = ""; if (!empty($_POST['user'])) { - $qcheck = "SELECT * FROM Users WHERE Username = '" . mysql_real_escape_string($_POST['user']) . "'"; + $qcheck = "SELECT * FROM Users WHERE Username = '" . db_escape_string($_POST['user']) . "'"; $result = db_query($qcheck, $dbh); if ($result) { $check = mysql_num_rows($result); @@ -32,7 +32,7 @@ if ($atype == "Trusted User" OR $atype == "Developer") { if ($check == 0) { $error.= __("Username does not exist."); } else { - $qcheck = "SELECT * FROM TU_VoteInfo WHERE User = '" . mysql_real_escape_string($_POST['user']) . "'"; + $qcheck = "SELECT * FROM TU_VoteInfo WHERE User = '" . db_escape_string($_POST['user']) . "'"; $qcheck.= " AND End > UNIX_TIMESTAMP()"; $result = db_query($qcheck, $dbh); if ($result) { @@ -67,9 +67,9 @@ if ($atype == "Trusted User" OR $atype == "Developer") { if (!empty($_POST['addVote']) && empty($error)) { $q = "INSERT INTO TU_VoteInfo (Agenda, User, Submitted, End, SubmitterID) VALUES "; - $q.= "('" . mysql_real_escape_string($_POST['agenda']) . "', "; - $q.= "'" . mysql_real_escape_string($_POST['user']) . "', "; - $q.= "UNIX_TIMESTAMP(), UNIX_TIMESTAMP() + " . mysql_real_escape_string($len); + $q.= "('" . db_escape_string($_POST['agenda']) . "', "; + $q.= "'" . db_escape_string($_POST['user']) . "', "; + $q.= "UNIX_TIMESTAMP(), UNIX_TIMESTAMP() + " . db_escape_string($len); $q.= ", " . uid_from_sid($_COOKIE["AURSID"]) . ")"; db_query($q, $dbh); -- cgit v1.2.3-70-g09d2