diff options
| author | Dries Buytaert <dries@buytaert.net> | 2001-03-07 21:29:40 +0000 |
|---|---|---|
| committer | Dries Buytaert <dries@buytaert.net> | 2001-03-07 21:29:40 +0000 |
| commit | f516626a293edd613cb823db88e36dcf7e1fb8f4 (patch) | |
| tree | ba3dd7432d4d13783e34fbc50a4d4308a142309b /modules/box.module | |
| parent | 2b2e81f6cfce285f466c3c74cb25ad30c581d2cf (diff) | |
| download | brdo-f516626a293edd613cb823db88e36dcf7e1fb8f4.tar.gz brdo-f516626a293edd613cb823db88e36dcf7e1fb8f4.tar.bz2 | |
A rather large and important update:
revised most of the SQL queries and tried to make drupal as secure as possible (while trying to avoid redundant/duplicate checks). For drupal's sake, try to screw something up. See the mail about PHPNuke being hacked appr. 6 days ago. The one who finds a problem is rewarded a beer (and I'm willing to ship it to Norway if required). I beg you to be evil. Try dumping a table a la "http://localhost/index.php?date=77778;DROP TABLE users" or something. ;)
Diffstat (limited to 'modules/box.module')
| -rw-r--r-- | modules/box.module | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/modules/box.module b/modules/box.module index 54d2e0b1c..af00a5766 100644 --- a/modules/box.module +++ b/modules/box.module @@ -89,7 +89,7 @@ function box_admin_new() { } function box_admin_add($subject, $content, $info, $link, $type) { - db_query("INSERT INTO boxes (subject, content, info, link, type) VALUES ('". check_input($subject) ."', '". check_code($content) ."', '". check_input($info) ."', '". check_input($link) ."', '". check_input($type) ."')"); + db_query("INSERT INTO boxes (subject, content, info, link, type) VALUES ('$subject', '$content', '$info', '$link', '$type')"); } function box_admin_delete($id) { @@ -144,7 +144,7 @@ function box_admin_edit($id) { } function box_admin_save($id, $subject, $content, $info, $link, $type) { - db_query("UPDATE boxes SET subject = '". check_input($subject) ."', content = '". check_code($content) ."', info = '". check_input($info) ."', link = '". check_input($link) ."', type = '". check_input($type) ."' WHERE id = '$id'"); + db_query("UPDATE boxes SET subject = '$subject', content = '$content', info = '$info', link = '$link', type = '$type' WHERE id = '$id'"); watchdog("message", "modified box `$subject'"); } @@ -155,12 +155,12 @@ function box_admin() { switch ($op) { case "Add box": - box_admin_add($subject, $content, $info, $link, $type); + box_admin_add(check_input($subject), check_code($content), check_input($info), check_input($link), check_input($type)); box_admin_display(); box_admin_rehash(); break; case "Save box": - box_admin_save($id, $subject, $content, $info, $link, $type); + box_admin_save(check_input($id), check_input($subject), check_code($content), check_input($info), check_input($link), check_input($type)); box_admin_display(); box_admin_rehash(); break; @@ -171,10 +171,10 @@ function box_admin() { box_admin_new(); break; case "edit": - box_admin_edit($id); + box_admin_edit(check_input($id)); break; case "delete": - box_admin_delete($id); + box_admin_delete(check_input($id)); box_admin_rehash(); // fall through default: |