[Vtigercrm-commits] [vtiger-commits] r6907 - /vtigercrm/branches/4.2/modules/Settings/add2db.php

[vtigercrm-commits at vtiger.fosslabs.com]

Author: allanbush
Date: Tue Jun  6 11:41:46 2006
New Revision: 6907

Log:
Proper escaping of sql data.  Closes #1271.

Modified:
    vtigercrm/branches/4.2/modules/Settings/add2db.php

Modified: vtigercrm/branches/4.2/modules/Settings/add2db.php
==============================================================================
--- vtigercrm/branches/4.2/modules/Settings/add2db.php (original)
+++ vtigercrm/branches/4.2/modules/Settings/add2db.php Tue Jun  6 11:41:46 2006
@@ -110,7 +110,7 @@
 	if(!isset($organization_logoname))
 		$organization_logoname="";
 
-	$sql="select * from organizationdetails where organizationame = '".$org_name."'";
+	$sql="SELECT * FROM organizationdetails WHERE organizationame = ".$adb->quote($org_name);
 	$result = $adb->query($sql);
 	$org_name = $adb->query_result($result,0,'organizationame');
 	$org_logo = $adb->query_result($result,0,'logoname'); 
@@ -118,7 +118,20 @@
 
 	if($org_name=='')
 	{
-		$sql="insert into organizationdetails(organizationame,address,city,state,code,country,phone,fax,website,logoname) values( '".$organization_name ."','".$organization_address."','". $organization_city."','".$organization_state."','".$organization_code."','".$organization_country."','".$organization_phone."','".$organization_fax."','".$organization_website."','".$organization_logoname."')";
+		$sql="INSERT INTO organizationdetails
+			(organizationame, address, city, state, code, country, phone, fax, website, logoname)
+			VALUES (".$adb->quote($organization_name).
+				",".$adb->quote($organization_address).
+				",".$adb->quote($organization_city).
+				",".$adb->quote($organization_state).
+				",".$adb->quote($organization_code).
+				",".$adb->quote($organization_country).
+				",".$adb->quote($organization_phone).
+				",".$adb->quote($organization_fax).
+				",".$adb->quote($organization_website).
+				",".$adb->quote($organization_logoname).
+			")";
+
 	}
 	else
 	{
@@ -132,7 +145,18 @@
 			$organization_logoname=$org_logo;
 		}
 
-		$sql="update organizationdetails set organizationame = '".$organization_name."', address = '".$organization_address."', city = '".$organization_city."', state = '".$organization_state."',  code = '".$organization_code."', country = '".$organization_country."' ,  phone = '".$organization_phone."' ,  fax = '".$organization_fax."',  website = '".$organization_website."', logoname = '". $organization_logoname ."' where organizationame = '".$org_name."'";
+		$sql = "UPDATE organizationdetails
+			SET organizationame = ".$adb->quote($organization_name).",
+				address = ".$adb->quote($organization_address).",
+				city = ".$adb->quote($organization_city).",
+				state = ".$adb->quote($organization_state).",
+				code = ".$adb->quote($organization_code).",
+				country = ".$adb->quote($organization_country)." ,
+				phone = ".$adb->quote($organization_phone)." ,
+				fax = ".$adb->quote($organization_fax).",
+				website = ".$adb->quote($organization_website).",
+				logoname = ".$adb->quote($organization_logoname)."
+			WHERE organizationame = ".$adb->quote($org_name);
 	}
 	$adb->query($sql);