From 71506db48cf7551ddc4c458804fcc302b434cc58 Mon Sep 17 00:00:00 2001
From: cweiske
Date: Sat, 16 Jan 2010 12:20:53 +0000
Subject: fix several sql injection possibilities

git-svn-id: https://semanticscuttle.svn.sourceforge.net/svnroot/semanticscuttle/trunk@599 b3834d28-1941-0410-a4f8-b48e95affb8f
---
 src/SemanticScuttle/Service/CommonDescription.php | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

(limited to 'src/SemanticScuttle/Service/CommonDescription.php')

diff --git a/src/SemanticScuttle/Service/CommonDescription.php b/src/SemanticScuttle/Service/CommonDescription.php
index 39c5826..0fffd32 100644
--- a/src/SemanticScuttle/Service/CommonDescription.php
+++ b/src/SemanticScuttle/Service/CommonDescription.php
@@ -76,7 +76,7 @@ class SemanticScuttle_Service_CommonDescription extends SemanticScuttle_DbServic
 
         $query = "SELECT *";
         $query.= " FROM `". $this->getTableName() ."`";
-        $query.= " WHERE tag='".$tag."'";
+        $query.= ' WHERE tag=\'' . $this->db->sql_escape($tag) . "'";
         $query.= " ORDER BY cdDatetime DESC";
 
         if (!($dbresult = & $this->db->sql_query_limit($query, 1, 0))) {
@@ -96,7 +96,7 @@ class SemanticScuttle_Service_CommonDescription extends SemanticScuttle_DbServic
     function getAllTagsDescription($tag) {
         $query = "SELECT *";
         $query.= " FROM `". $this->getTableName() ."`";
-        $query.= " WHERE tag='".$tag."'";
+        $query.= ' WHERE tag=\'' . $this->db->sql_escape($tag) . "'";
         $query.= " ORDER BY cdDatetime DESC";
 
         if (!($dbresult = & $this->db->sql_query($query))) {
@@ -112,7 +112,7 @@ class SemanticScuttle_Service_CommonDescription extends SemanticScuttle_DbServic
     function getDescriptionById($cdId) {
         $query = "SELECT *";
         $query.= " FROM `". $this->getTableName() ."`";
-        $query.= " WHERE cdId='".$cdId."'";
+        $query.= ' WHERE cdId=\'' . $this->db->sql_escape($cdId) . "'";
 
         if (!($dbresult = & $this->db->sql_query($query))) {
             message_die(GENERAL_ERROR, 'Could not get tag descriptions', '', __LINE__, __FILE__, $query, $this->db);
@@ -151,7 +151,7 @@ class SemanticScuttle_Service_CommonDescription extends SemanticScuttle_DbServic
     function getLastBookmarkDescription($bHash) {
         $query = "SELECT *";
         $query.= " FROM `". $this->getTableName() ."`";
-        $query.= " WHERE bHash='".$bHash."'";
+        $query.= ' WHERE bHash=\'' . $this->db->sql_escape($bHash) . "'";
         $query.= " ORDER BY cdDatetime DESC";
 
         if (!($dbresult = & $this->db->sql_query_limit($query, 1, 0))) {
@@ -171,7 +171,7 @@ class SemanticScuttle_Service_CommonDescription extends SemanticScuttle_DbServic
     function getAllBookmarksDescription($bHash) {
         $query = "SELECT *";
         $query.= " FROM `". $this->getTableName() ."`";
-        $query.= " WHERE bHash='".$bHash."'";
+        $query.= ' WHERE bHash=\'' . $this->db->sql_escape($bHash) . "'";
         $query.= " ORDER BY cdDatetime DESC";
 
         if (!($dbresult = & $this->db->sql_query($query))) {
-- 
cgit v1.2.3-54-g00ecf