chamilo
/
chamilo-lms
mirror of https://github.com/chamilo/chamilo-lms/tree/1.11.x
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Removing execise use of remove_XSS . i.e: Database::escape_string(Security::remove_XSS())

Browse Source
skala
Julio Montoya 16 years ago
parent 7538ea649e
commit 69733a2969
1 changed files with 20 additions and 13 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 21
      main/link/linkfunctions.php

21
main/link/linkfunctions.php
Unescape View File

@ -224,13 +224,12 @@ function deletelinkcategory($type) {
}
if ($type == 'category') {
global $id;
if (isset($_GET['id']) && !empty($_GET['id'])) {
// First we delete the category itself and afterwards all the links of this category.
$sql = "DELETE FROM ".$tbl_categories." WHERE id='".Database::escape_string(Security::remove_XSS($_GET['id']))."'";
$sql = "DELETE FROM ".$tbl_categories." WHERE id='".intval($_GET['id'])."'";
Database::query($sql);
$sql = "DELETE FROM ".$tbl_link." WHERE category_id='".Database::escape_string(Security::remove_XSS($_GET['id']))."'";
$sql = "DELETE FROM ".$tbl_link." WHERE category_id='".intval($_GET['id'])."'";
$catlinkstatus = get_lang('CategoryDeleted');
unset ($id);
Database::query($sql);
@ -238,6 +237,7 @@ function deletelinkcategory($type) {
Display::display_confirmation_message(get_lang('CategoryDeleted'));
}
}
}
/**
* Removes a link from search engine database
@ -328,7 +328,7 @@ function editlinkcategory($type) {
}
// Finding the old category_id
$sql = "SELECT * FROM ".$tbl_link." WHERE id='".Database::escape_string(Security::remove_XSS($_POST['id']))."'";
$sql = "SELECT * FROM ".$tbl_link." WHERE id='".intval($_POST['id'])."'";
$result = Database::query($sql);
$row = Database::fetch_array($result);
$category_id = $row['category_id'];
@ -342,7 +342,14 @@ function editlinkcategory($type) {
$max_display_order = $row['display_order'];
}
$sql = "UPDATE ".$tbl_link." set url='".Database::escape_string(Security::remove_XSS($_POST['urllink']))."', title='".Database::escape_string(Security::remove_XSS($_POST['title']))."', description='".Database::escape_string(Security::remove_XSS($_POST['description']))."', category_id='".Database::escape_string(Security::remove_XSS($_POST['selectcategory']))."', display_order='".$max_display_order."', on_homepage='".Database::escape_string(Security::remove_XSS($onhomepage))." ' $mytarget WHERE id='".Database::escape_string(Security::remove_XSS($_POST['id']))."'";
$sql = "UPDATE ".$tbl_link." SET " .
"url='".Database::escape_string($_POST['urllink'])."', " .
"title='".Database::escape_string($_POST['title'])."', " .
"description='".Database::escape_string($_POST['description'])."', " .
"category_id='".Database::escape_string($_POST['selectcategory'])."', " .
"display_order='".$max_display_order."', " .
"on_homepage='".Database::escape_string($onhomepage)." ' $mytarget " .
" WHERE id='".Database::escape_string($_POST['id'])."'";
Database::query($sql);
// Update search enchine and its values table if enabled
@ -453,7 +460,7 @@ function editlinkcategory($type) {
// This is used to put the modified info of the category-form into the database
if ($submit_category) {
$sql = "UPDATE ".$tbl_categories." set category_title='".Database::escape_string(Security::remove_XSS($_POST['category_title']))."', description='".Database::escape_string(Security::remove_XSS($_POST['description']))."' WHERE id='".Database::escape_string(Security::remove_XSS($_POST['id']))."'";
$sql = "UPDATE ".$tbl_categories." set category_title='".Database::escape_string($_POST['category_title'])."', description='".Database::escape_string($_POST['description'])."' WHERE id='".Database::escape_string($_POST['id'])."'";
Database::query($sql);
Display::display_confirmation_message(get_lang('CategoryModded'));
}

Write Preview
Loading…
Cancel
Save