aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--admin/tags.php17
-rw-r--r--include/functions.inc.php34
2 files changed, 39 insertions, 12 deletions
diff --git a/admin/tags.php b/admin/tags.php
index 21000de98..95c6f7d77 100644
--- a/admin/tags.php
+++ b/admin/tags.php
@@ -149,20 +149,13 @@ DELETE
if (isset($_POST['add']) and !empty($_POST['add_tag']))
{
- if (function_exists('mysql_real_escape_string'))
- {
- $tag_name = mysql_real_escape_string($_POST['add_tag']);
- }
- else
- {
- $tag_name = mysql_escape_string($_POST['add_tag']);
- }
+ $tag_name = $_POST['add_tag'];
// does the tag already exists?
$query = '
SELECT id
FROM '.TAGS_TABLE.'
- WHERE name = \''.$tag_name.'\'
+ WHERE name = \''.pwg_quotemeta($tag_name).'\'
;';
$existing_tags = array_from_query($query, 'id');
@@ -173,7 +166,7 @@ SELECT id
array('name', 'url_name'),
array(
array(
- 'name' => $tag_name,
+ 'name' => pwg_quotemeta($tag_name),
'url_name' => str2url($tag_name),
)
)
@@ -183,7 +176,7 @@ SELECT id
$page['infos'],
sprintf(
l10n('Tag "%s" was added'),
- $tag_name
+ pwg_stripslashes($tag_name)
)
);
}
@@ -193,7 +186,7 @@ SELECT id
$page['errors'],
sprintf(
l10n('Tag "%s" already exists'),
- $tag_name
+ pwg_stripslashes($tag_name)
)
);
}
diff --git a/include/functions.inc.php b/include/functions.inc.php
index 970f80786..dae437a0d 100644
--- a/include/functions.inc.php
+++ b/include/functions.inc.php
@@ -460,6 +460,40 @@ function format_date($date, $type = 'us', $show_time = false)
return $formated_date;
}
+function pwg_stripslashes($value)
+{
+ if (get_magic_quotes_gpc())
+ {
+ $value = stripslashes($value);
+ }
+ return $value;
+}
+
+function pwg_addslashes($value)
+{
+ if (!get_magic_quotes_gpc())
+ {
+ $value = addslashes($value);
+ }
+ return $value;
+}
+
+function pwg_quotemeta($value)
+{
+ if (get_magic_quotes_gpc()) {
+ $value = stripslashes($value);
+ }
+ if (function_exists('mysql_real_escape_string'))
+ {
+ $value = mysql_real_escape_string($value);
+ }
+ else
+ {
+ $value = mysql_escape_string($value);
+ }
+ return $value;
+}
+
function pwg_query($query)
{
global $conf,$page,$debug,$t2;