From f4d6836d51b506c31b6804a343c1940d6e2d8d7b Mon Sep 17 00:00:00 2001
From: Daniel Hromada <hromi@Aphrodité.(none)>
Date: Wed, 26 Jan 2011 22:45:33 +0100
Subject: [PATCH] getNodeIdByName sqlinjection safe

---
 wwwroot/backend/mysql/backend.inc | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/wwwroot/backend/mysql/backend.inc b/wwwroot/backend/mysql/backend.inc
index 18b0d98..0881c10 100644
--- a/wwwroot/backend/mysql/backend.inc
+++ b/wwwroot/backend/mysql/backend.inc
@@ -149,15 +149,17 @@ node_vector='".$params['node_vector']."'";
                 }
         }
 
+	function getNodeIdByName($name, $external_link=false) {
+	    global $db;
 
-        function getNodeIdByName($name,$external_link=false) {
-                global $db;
-                $q="select node_id from nodes where node_name='$name'";
-                if ($external_link) $q.=" and external_link='$external_link'";
-                $set=$db->query($q);
-                $set->next();
-                return $set->getString('node_id');
-        }
+	    $qh = sprintf('select node_id from nodes where node_name = "%s"', mysql_real_escape_string($name));
+    		if ($external_link)
+      			$qh .= sprintf(' and external_link="%s"', mysql_real_escape_string($external_link));
+
+	    $set = $db->query($qh);
+	    $set->next();
+	    return $set->getString('node_id');
+  	}
 
         function getNodeById($node_handle,$user_id, $table_name="nodes") {
                 global $db, $error;
-- 
2.30.2