return false;
}
- $user_id=mysql_real_escape_string($_SESSION['user_id']);
- $user_name=mysql_real_escape_string($_SESSION['user_name']);
- $mail_name=mysql_real_escape_string($_POST['mail_to']);
+ $user_id=db_escape_string($_SESSION['user_id']);
+ $user_name=db_escape_string($_SESSION['user_name']);
+ $mail_name=db_escape_string($_POST['mail_to']);
if (!$mail_name) {
global $error;
if ($mail_to_id) {
- $mail_text=nodes::processContent($mail_text);
+ $mail_text=db_escape_string(nodes::processContent($mail_text));
global $htmlparse;
if ($htmlparse) {
$error=$htmlparse;
$q="insert into mail set mail_duplicate_id='$duplicate_id',
mail_read='no',mail_user='$mail_to_id_send',mail_from='$user_id',mail_text='$mail_text',
mail_to='$mail_to_id_send',mail_timestamp=NOW()";
- $result=$db->query($q);
- $db->query("update users set user_mail=user_mail+1,
-user_mail_name='$user_name', user_mail_id = '".mysql_real_escape_string($_SESSION['user_id'])."' where user_id='$mail_to_id_send'");
+ $result=$db->query($q);
+ $db->query("update users set user_mail=user_mail+1,".
+ //"user_mail_name='$user_name',". //Not in DB yet!
+ "user_mail_id='".db_escape_string($_SESSION['user_id'])."' where user_id='$mail_to_id_send'");
}
return true;