<?php
function banlist() {
- global $db,$error,$node,$logger;
+ global $db,$error,$node;
$node_id=$node['node_id'];
if ($node['node_permission']!=('owner' || 'master' || 'op')) {
$error=$error_messages['EVENT_PERMISSION_ERROR'];
return false;
}
- $bans=explode(";",$_POST['bans']);
+ $bans = explode(";",$_POST['bans']); // XXX sqli?
+ $bans = array_map('db_escape_string', $bans);
$db->query("update node_access set node_permission='' where node_id=$node_id and node_permission='ban'");
foreach ($bans as $ban) {
$q="insert into node_access set node_permission='ban',node_id=$node_id,user_id=".$set->getString('user_id');
$db->query($q);
}
- $logger->log('add ban',$node_id,'ok',$ban);
+ logger::log('add ban',$node_id,'ok',$ban);
}
else { $error .= "$ban does not exist..."; }
}