[Vtigercrm-commits] [vtiger-commits] r6906 - /vtigercrm/trunk/modules/Settings/add2db.php

vtigercrm-commits at vtiger.fosslabs.com vtigercrm-commits at vtiger.fosslabs.com
Tue Jun 6 13:35:49 EDT 2006 

Author: allanbush
Date: Tue Jun  6 11:35:47 2006
New Revision: 6906

Log:
Proper escaping of sql data.  Refs #1271.

Modified:
    vtigercrm/trunk/modules/Settings/add2db.php

Modified: vtigercrm/trunk/modules/Settings/add2db.php
==============================================================================
--- vtigercrm/trunk/modules/Settings/add2db.php (original)
+++ vtigercrm/trunk/modules/Settings/add2db.php Tue Jun  6 11:35:47 2006
@@ -99,7 +99,7 @@
 		if(!isset($organization_logoname))
 			$organization_logoname="";
 
-		$sql="select * from organizationdetails where organizationame = '".$org_name."'";
+		$sql="SELECT * FROM organizationdetails WHERE organizationame = ".$adb->quote($org_name);
 		$result = $adb->query($sql);
 		$org_name = $adb->query_result($result,0,'organizationame');
 		$org_logo = $adb->query_result($result,0,'logoname'); 
@@ -107,7 +107,19 @@
 
 		if($org_name=='')
 		{
-			$sql="insert into organizationdetails(organizationame,address,city,state,code,country,phone,fax,website,logoname) values( '".$organization_name ."','".$organization_address."','". $organization_city."','".$organization_state."','".$organization_code."','".$organization_country."','".$organization_phone."','".$organization_fax."','".$organization_website."','".$organization_logoname."')";
+			$sql="INSERT INTO organizationdetails
+				(organizationame, address, city, state, code, country, phone, fax, website, logoname)
+				VALUES (".$adb->quote($organization_name).
+					",".$adb->quote($organization_address).
+					",".$adb->quote($organization_city).
+					",".$adb->quote($organization_state).
+					",".$adb->quote($organization_code).
+					",".$adb->quote($organization_country).
+					",".$adb->quote($organization_phone).
+					",".$adb->quote($organization_fax).
+					",".$adb->quote($organization_website).
+					",".$adb->quote($organization_logoname).
+				")";
 		}
 		else
 		{
@@ -130,7 +142,18 @@
 				$organization_logoname=$org_logo;
 			}
 
-			$sql="update organizationdetails set organizationame = '".$organization_name."', address = '".$organization_address."', city = '".$organization_city."', state = '".$organization_state."',  code = '".$organization_code."', country = '".$organization_country."' ,  phone = '".$organization_phone."' ,  fax = '".$organization_fax."',  website = '".$organization_website."', logoname = '". $organization_logoname ."' where organizationame = '".$org_name."'";
+			$sql = "UPDATE organizationdetails
+				SET organizationame = ".$adb->quote($organization_name).",
+					address = ".$adb->quote($organization_address).",
+					city = ".$adb->quote($organization_city).",
+					state = ".$adb->quote($organization_state).",
+					code = ".$adb->quote($organization_code).",
+					country = ".$adb->quote($organization_country)." ,
+					phone = ".$adb->quote($organization_phone)." ,
+					fax = ".$adb->quote($organization_fax).",
+					website = ".$adb->quote($organization_website).",
+					logoname = ".$adb->quote($organization_logoname)."
+				WHERE organizationame = ".$adb->quote($org_name);
 		}
 		$adb->query($sql);

More information about the vtigercrm-commits mailing list