diff options
| author | Dries Buytaert <dries@buytaert.net> | 2001-03-07 21:29:40 +0000 |
|---|---|---|
| committer | Dries Buytaert <dries@buytaert.net> | 2001-03-07 21:29:40 +0000 |
| commit | f516626a293edd613cb823db88e36dcf7e1fb8f4 (patch) | |
| tree | ba3dd7432d4d13783e34fbc50a4d4308a142309b /modules/backend.class | |
| parent | 2b2e81f6cfce285f466c3c74cb25ad30c581d2cf (diff) | |
| download | brdo-f516626a293edd613cb823db88e36dcf7e1fb8f4.tar.gz brdo-f516626a293edd613cb823db88e36dcf7e1fb8f4.tar.bz2 | |
A rather large and important update:
revised most of the SQL queries and tried to make drupal as secure as possible (while trying to avoid redundant/duplicate checks). For drupal's sake, try to screw something up. See the mail about PHPNuke being hacked appr. 6 days ago. The one who finds a problem is rewarded a beer (and I'm willing to ship it to Norway if required). I beg you to be evil. Try dumping a table a la "http://localhost/index.php?date=77778;DROP TABLE users" or something. ;)
Diffstat (limited to 'modules/backend.class')
| -rw-r--r-- | modules/backend.class | 23 |
1 files changed, 7 insertions, 16 deletions
diff --git a/modules/backend.class b/modules/backend.class index 593b6904f..679c149a6 100644 --- a/modules/backend.class +++ b/modules/backend.class @@ -32,7 +32,7 @@ class backend { if (time() - $this->timestamp > $timout) $this->url2sql(); // Read headlines: - $result = db_query("SELECT * FROM headlines WHERE id = $this->id ORDER BY number"); + $result = db_query("SELECT * FROM headlines WHERE id = '$this->id' ORDER BY number"); while ($headline = db_fetch_object($result)) { array_push($this->headlines, "<A HREF=\"$headline->link\">$headline->title</A>"); } @@ -91,7 +91,7 @@ class backend { } // Mark channels as being updated: - $result = db_query("UPDATE channel SET timestamp = '". time() ."' WHERE id = $this->id"); + $result = db_query("UPDATE channel SET timestamp = '". time() ."' WHERE id = '$this->id'"); $this->timestamp = time(); } else { @@ -113,7 +113,7 @@ class backend { if (time() - $this->timestamp > $timout) $this->url2sql(); // Grab headlines from database: - $result = db_query("SELECT * FROM headlines WHERE id = $this->id ORDER BY number"); + $result = db_query("SELECT * FROM headlines WHERE id = '$this->id' ORDER BY number"); while ($headline = db_fetch_object($result)) { $content .= "<LI><A HREF=\"$headline->link\">$headline->title</A></LI>"; } @@ -133,27 +133,18 @@ class backend { function delete() { // Delete channel: - $result = db_query("DELETE FROM channel WHERE id = $this->id"); + $result = db_query("DELETE FROM channel WHERE id = '$this->id'"); // Delete headlines: - $result = db_query("DELETE FROM headlines WHERE id = $this->id"); + $result = db_query("DELETE FROM headlines WHERE id = '$this->id'"); } function refresh() { // Delete headlines: - $result = db_query("DELETE FROM headlines WHERE id = $this->id"); + $result = db_query("DELETE FROM headlines WHERE id = '$this->id'"); // Mark channel as invalid to enforce an update: - $result = db_query("UPDATE channel SET timestamp = 1 WHERE id = $this->id"); - } - - function dump() { - print "<B>Dump backend:</B><BR>"; - print "Id: $this->id<BR>"; - print "Site: $this->site<BR>"; - print "URL: $this->url<BR>"; - print "File: $this->file<BR>"; - print "Contact: $this->contact<BR>"; + $result = db_query("UPDATE channel SET timestamp = 1 WHERE id = '$this->id'"); } } |