diff options
| author | nikrou <nikrou@piwigo.org> | 2006-07-21 13:47:50 +0000 |
|---|---|---|
| committer | nikrou <nikrou@piwigo.org> | 2006-07-21 13:47:50 +0000 |
| commit | fdc7bdbd3b16d02ffc8d216cbe4696955edecf6e (patch) | |
| tree | 44704d1effd2718deddf3962a5265c5fef3ce5b2 | |
| parent | 19fa4408c85f85cfb6476a29d616f251eb20dde9 (diff) | |
bug 471 fixed: quote in tags
svn merge from trunk into branch-1.6
git-svn-id: http://piwigo.org/svn/branches/branch-1_6@1488 68402e56-0260-453c-a942-63ccdbb3a9ee
| -rw-r--r-- | admin/tags.php | 17 | ||||
| -rw-r--r-- | include/functions.inc.php | 34 |
2 files changed, 39 insertions, 12 deletions
diff --git a/admin/tags.php b/admin/tags.php index 21000de98..95c6f7d77 100644 --- a/admin/tags.php +++ b/admin/tags.php @@ -149,20 +149,13 @@ DELETE if (isset($_POST['add']) and !empty($_POST['add_tag'])) { - if (function_exists('mysql_real_escape_string')) - { - $tag_name = mysql_real_escape_string($_POST['add_tag']); - } - else - { - $tag_name = mysql_escape_string($_POST['add_tag']); - } + $tag_name = $_POST['add_tag']; // does the tag already exists? $query = ' SELECT id FROM '.TAGS_TABLE.' - WHERE name = \''.$tag_name.'\' + WHERE name = \''.pwg_quotemeta($tag_name).'\' ;'; $existing_tags = array_from_query($query, 'id'); @@ -173,7 +166,7 @@ SELECT id array('name', 'url_name'), array( array( - 'name' => $tag_name, + 'name' => pwg_quotemeta($tag_name), 'url_name' => str2url($tag_name), ) ) @@ -183,7 +176,7 @@ SELECT id $page['infos'], sprintf( l10n('Tag "%s" was added'), - $tag_name + pwg_stripslashes($tag_name) ) ); } @@ -193,7 +186,7 @@ SELECT id $page['errors'], sprintf( l10n('Tag "%s" already exists'), - $tag_name + pwg_stripslashes($tag_name) ) ); } diff --git a/include/functions.inc.php b/include/functions.inc.php index 970f80786..dae437a0d 100644 --- a/include/functions.inc.php +++ b/include/functions.inc.php @@ -460,6 +460,40 @@ function format_date($date, $type = 'us', $show_time = false) return $formated_date; } +function pwg_stripslashes($value) +{ + if (get_magic_quotes_gpc()) + { + $value = stripslashes($value); + } + return $value; +} + +function pwg_addslashes($value) +{ + if (!get_magic_quotes_gpc()) + { + $value = addslashes($value); + } + return $value; +} + +function pwg_quotemeta($value) +{ + if (get_magic_quotes_gpc()) { + $value = stripslashes($value); + } + if (function_exists('mysql_real_escape_string')) + { + $value = mysql_real_escape_string($value); + } + else + { + $value = mysql_escape_string($value); + } + return $value; +} + function pwg_query($query) { global $conf,$page,$debug,$t2; |