getNodeIdByName sqlinjection safe

diff --git a/wwwroot/backend/mysql/backend.inc b/wwwroot/backend/mysql/backend.inc
index 18b0d98c73debbdc474dd5c460c80ac313dac44a..0881c10384622a2cffc35adf3795e4961d158171 100644 (file)
--- a/wwwroot/backend/mysql/backend.inc
+++ b/wwwroot/backend/mysql/backend.inc
@@ -149,15 +149,17 @@ node_vector='".$params['node_vector']."'";
                 }
         }
 
+       function getNodeIdByName($name, $external_link=false) {
+           global $db;
 
-        function getNodeIdByName($name,$external_link=false) {
-                global $db;
-                $q="select node_id from nodes where node_name='$name'";
-                if ($external_link) $q.=" and external_link='$external_link'";
-                $set=$db->query($q);
-                $set->next();
-                return $set->getString('node_id');
-        }
+           $qh = sprintf('select node_id from nodes where node_name = "%s"', mysql_real_escape_string($name));
+               if ($external_link)
+                       $qh .= sprintf(' and external_link="%s"', mysql_real_escape_string($external_link));
+
+           $set = $db->query($qh);
+           $set->next();
+           return $set->getString('node_id');
+       }
 
         function getNodeById($node_handle,$user_id, $table_name="nodes") {
                 global $db, $error;