From 8500be3f1ba7bcab6b8523507e74a132df58d925 Mon Sep 17 00:00:00 2001
From: tbrehm <t.brehm@ispconfig.org>
Date: Thu, 18 Sep 2008 06:25:41 -0400
Subject: [PATCH] - Changed addslashes to mysql_real_escape_string in several files. - Updated Debian installation instructions.

---
 interface/lib/classes/tform.inc.php |   22 +++++++++++++++++-----
 1 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/interface/lib/classes/tform.inc.php b/interface/lib/classes/tform.inc.php
index 3d017aa..51e5ffe 100644
--- a/interface/lib/classes/tform.inc.php
+++ b/interface/lib/classes/tform.inc.php
@@ -482,14 +482,14 @@
                                 switch ($field['datatype']) {
                                 case 'VARCHAR':
                                         if(!@is_array($record[$key])) {
-                                                $new_record[$key] = (isset($record[$key]))?addslashes($record[$key]):'';
+                                                $new_record[$key] = (isset($record[$key]))?mysql_real_escape_string($record[$key]):'';
                                         } else {
                                                 $new_record[$key] = implode($field['separator'],$record[$key]);
                                         }
                                 break;
                                 case 'TEXT':
                                         if(!is_array($record[$key])) {
-                                                $new_record[$key] = addslashes($record[$key]);
+                                                $new_record[$key] = mysql_real_escape_string($record[$key]);
                                         } else {
                                                 $new_record[$key] = implode($field['separator'],$record[$key]);
                                         }
@@ -508,7 +508,7 @@
                                         //if($key == 'refresh') die($record[$key]);
                                 break;
                                 case 'DOUBLE':
-                                        $new_record[$key] = addslashes($record[$key]);
+                                        $new_record[$key] = mysql_real_escape_string($record[$key]);
                                 break;
                                 case 'CURRENCY':
                                         $new_record[$key] = str_replace(",",".",$record[$key]);
@@ -699,10 +699,16 @@
 																$salt.="$";
 																// $salt = substr(md5(time()),0,2);
 																$record[$key] = crypt($record[$key],$salt);
+																$sql_insert_val .= "'".mysql_real_escape_string($record[$key])."', ";
+														} elseif ($field['encryption'] == 'MYSQL') {
+																$sql_insert_val .= "PASSWORD('".mysql_real_escape_string($record[$key])."'), ";
+														} elseif ($field['encryption'] == 'CLEARTEXT') {
+																$sql_insert_val .= "'".mysql_real_escape_string($record[$key])."', ";
                                                         } else {
                                                                 $record[$key] = md5($record[$key]);
+																$sql_insert_val .= "'".mysql_real_escape_string($record[$key])."', ";
                                                         }
-														$sql_insert_val .= "'".addslashes($record[$key])."', ";
+														
                                                 } elseif ($field['formtype'] == 'CHECKBOX') {
                                                         $sql_insert_key .= "`$key`, ";
 														if($record[$key] == '') {
@@ -726,10 +732,16 @@
 																$salt.="$";
 																// $salt = substr(md5(time()),0,2);
 																$record[$key] = crypt($record[$key],$salt);
+																$sql_update .= "`$key` = '".mysql_real_escape_string($record[$key])."', ";
+														} elseif (isset($field['encryption']) && $field['encryption'] == 'MYSQL') {
+																$sql_update .= "`$key` = PASSWORD('".mysql_real_escape_string($record[$key])."'), ";
+														} elseif (isset($field['encryption']) && $field['encryption'] == 'CLEARTEXT') {
+																$sql_update .= "`$key` = '".mysql_real_escape_string($record[$key])."', ";
                                                         } else {
                                                                 $record[$key] = md5($record[$key]);
+																$sql_update .= "`$key` = '".mysql_real_escape_string($record[$key])."', ";
                                                         }
-                                                        $sql_update .= "`$key` = '".addslashes($record[$key])."', ";
+                                                        
                                                 } elseif ($field['formtype'] == 'CHECKBOX') {
 														if($record[$key] == '') {
 															// if a checkbox is not set, we set it to the unchecked value

--
Gitblit v1.9.1