From f4d6836d51b506c31b6804a343c1940d6e2d8d7b Mon Sep 17 00:00:00 2001 From: Daniel Hromada Date: Wed, 26 Jan 2011 22:45:33 +0100 Subject: [PATCH] getNodeIdByName sqlinjection safe --- wwwroot/backend/mysql/backend.inc | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/wwwroot/backend/mysql/backend.inc b/wwwroot/backend/mysql/backend.inc index 18b0d98..0881c10 100644 --- a/wwwroot/backend/mysql/backend.inc +++ b/wwwroot/backend/mysql/backend.inc @@ -149,15 +149,17 @@ node_vector='".$params['node_vector']."'"; } } + function getNodeIdByName($name, $external_link=false) { + global $db; - function getNodeIdByName($name,$external_link=false) { - global $db; - $q="select node_id from nodes where node_name='$name'"; - if ($external_link) $q.=" and external_link='$external_link'"; - $set=$db->query($q); - $set->next(); - return $set->getString('node_id'); - } + $qh = sprintf('select node_id from nodes where node_name = "%s"', mysql_real_escape_string($name)); + if ($external_link) + $qh .= sprintf(' and external_link="%s"', mysql_real_escape_string($external_link)); + + $set = $db->query($qh); + $set->next(); + return $set->getString('node_id'); + } function getNodeById($node_handle,$user_id, $table_name="nodes") { global $db, $error; -- 2.30.2