From: Daniel Hromada <hromi@Aphrodité.(none)>
Date: Wed, 26 Jan 2011 21:45:33 +0000 (+0100)
Subject: getNodeIdByName sqlinjection safe
X-Git-Url: http://git.harvie.cz/?a=commitdiff_plain;h=f4d6836d51b506c31b6804a343c1940d6e2d8d7b;hp=a2ef7f73d6365d8feeeb9b98d53e2fbc7379174d;p=mirrors%2FKyberia-bloodline.git

getNodeIdByName sqlinjection safe
---

diff --git a/wwwroot/backend/mysql/backend.inc b/wwwroot/backend/mysql/backend.inc
index 18b0d98..0881c10 100644
--- a/wwwroot/backend/mysql/backend.inc
+++ b/wwwroot/backend/mysql/backend.inc
@@ -149,15 +149,17 @@ node_vector='".$params['node_vector']."'";
                 }
         }
 
+	function getNodeIdByName($name, $external_link=false) {
+	    global $db;
 
-        function getNodeIdByName($name,$external_link=false) {
-                global $db;
-                $q="select node_id from nodes where node_name='$name'";
-                if ($external_link) $q.=" and external_link='$external_link'";
-                $set=$db->query($q);
-                $set->next();
-                return $set->getString('node_id');
-        }
+	    $qh = sprintf('select node_id from nodes where node_name = "%s"', mysql_real_escape_string($name));
+    		if ($external_link)
+      			$qh .= sprintf(' and external_link="%s"', mysql_real_escape_string($external_link));
+
+	    $set = $db->query($qh);
+	    $set->next();
+	    return $set->getString('node_id');
+  	}
 
         function getNodeById($node_handle,$user_id, $table_name="nodes") {
                 global $db, $error;