From 8500be3f1ba7bcab6b8523507e74a132df58d925 Mon Sep 17 00:00:00 2001 From: tbrehm <t.brehm@ispconfig.org> Date: Thu, 18 Sep 2008 06:25:41 -0400 Subject: [PATCH] - Changed addslashes to mysql_real_escape_string in several files. - Updated Debian installation instructions. --- interface/lib/classes/tform.inc.php | 22 +++++++++++++++++----- 1 files changed, 17 insertions(+), 5 deletions(-) diff --git a/interface/lib/classes/tform.inc.php b/interface/lib/classes/tform.inc.php index 3d017aa..51e5ffe 100644 --- a/interface/lib/classes/tform.inc.php +++ b/interface/lib/classes/tform.inc.php @@ -482,14 +482,14 @@ switch ($field['datatype']) { case 'VARCHAR': if(!@is_array($record[$key])) { - $new_record[$key] = (isset($record[$key]))?addslashes($record[$key]):''; + $new_record[$key] = (isset($record[$key]))?mysql_real_escape_string($record[$key]):''; } else { $new_record[$key] = implode($field['separator'],$record[$key]); } break; case 'TEXT': if(!is_array($record[$key])) { - $new_record[$key] = addslashes($record[$key]); + $new_record[$key] = mysql_real_escape_string($record[$key]); } else { $new_record[$key] = implode($field['separator'],$record[$key]); } @@ -508,7 +508,7 @@ //if($key == 'refresh') die($record[$key]); break; case 'DOUBLE': - $new_record[$key] = addslashes($record[$key]); + $new_record[$key] = mysql_real_escape_string($record[$key]); break; case 'CURRENCY': $new_record[$key] = str_replace(",",".",$record[$key]); @@ -699,10 +699,16 @@ $salt.="$"; // $salt = substr(md5(time()),0,2); $record[$key] = crypt($record[$key],$salt); + $sql_insert_val .= "'".mysql_real_escape_string($record[$key])."', "; + } elseif ($field['encryption'] == 'MYSQL') { + $sql_insert_val .= "PASSWORD('".mysql_real_escape_string($record[$key])."'), "; + } elseif ($field['encryption'] == 'CLEARTEXT') { + $sql_insert_val .= "'".mysql_real_escape_string($record[$key])."', "; } else { $record[$key] = md5($record[$key]); + $sql_insert_val .= "'".mysql_real_escape_string($record[$key])."', "; } - $sql_insert_val .= "'".addslashes($record[$key])."', "; + } elseif ($field['formtype'] == 'CHECKBOX') { $sql_insert_key .= "`$key`, "; if($record[$key] == '') { @@ -726,10 +732,16 @@ $salt.="$"; // $salt = substr(md5(time()),0,2); $record[$key] = crypt($record[$key],$salt); + $sql_update .= "`$key` = '".mysql_real_escape_string($record[$key])."', "; + } elseif (isset($field['encryption']) && $field['encryption'] == 'MYSQL') { + $sql_update .= "`$key` = PASSWORD('".mysql_real_escape_string($record[$key])."'), "; + } elseif (isset($field['encryption']) && $field['encryption'] == 'CLEARTEXT') { + $sql_update .= "`$key` = '".mysql_real_escape_string($record[$key])."', "; } else { $record[$key] = md5($record[$key]); + $sql_update .= "`$key` = '".mysql_real_escape_string($record[$key])."', "; } - $sql_update .= "`$key` = '".addslashes($record[$key])."', "; + } elseif ($field['formtype'] == 'CHECKBOX') { if($record[$key] == '') { // if a checkbox is not set, we set it to the unchecked value -- Gitblit v1.9.1