From: Daniel Hromada Date: Wed, 26 Jan 2011 21:45:33 +0000 (+0100) Subject: getNodeIdByName sqlinjection safe X-Git-Url: https://git.harvie.cz/?a=commitdiff_plain;h=f4d6836d51b506c31b6804a343c1940d6e2d8d7b;p=mirrors%2FKyberia-bloodline.git getNodeIdByName sqlinjection safe --- diff --git a/wwwroot/backend/mysql/backend.inc b/wwwroot/backend/mysql/backend.inc index 18b0d98..0881c10 100644 --- a/wwwroot/backend/mysql/backend.inc +++ b/wwwroot/backend/mysql/backend.inc @@ -149,15 +149,17 @@ node_vector='".$params['node_vector']."'"; } } + function getNodeIdByName($name, $external_link=false) { + global $db; - function getNodeIdByName($name,$external_link=false) { - global $db; - $q="select node_id from nodes where node_name='$name'"; - if ($external_link) $q.=" and external_link='$external_link'"; - $set=$db->query($q); - $set->next(); - return $set->getString('node_id'); - } + $qh = sprintf('select node_id from nodes where node_name = "%s"', mysql_real_escape_string($name)); + if ($external_link) + $qh .= sprintf(' and external_link="%s"', mysql_real_escape_string($external_link)); + + $set = $db->query($qh); + $set->next(); + return $set->getString('node_id'); + } function getNodeById($node_handle,$user_id, $table_name="nodes") { global $db, $error;