From f00eeddbf2c1c7185de0ebd9966507111512fc58 Mon Sep 17 00:00:00 2001
From: Patrick Cool <patrick.cool@ugent.be>
Date: Wed, 14 Feb 2007 23:17:58 +0100
Subject: [PATCH] [svn r11117] casting $blog_id, $_user['id'], $task_id, ...
 and alike and using mysql_real_escape_string to fix XSS and SQL injections
 http://www.dokeos.com/forum/viewtopic.php?t=8464

---
 main/blog/blog_admin.php | 28 ++++++++++++++--------------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/main/blog/blog_admin.php b/main/blog/blog_admin.php
index da6dc5e586..08261c27c4 100644
--- a/main/blog/blog_admin.php
+++ b/main/blog/blog_admin.php
@@ -20,14 +20,14 @@
 
 	Contact: Dokeos, 181 rue Royale, B-1000 Brussels, Belgium, info@dokeos.com
 
-============================================================================== 
+==============================================================================
 
     BLOG HOMEPAGE
 
 	This file takes care of all blog navigation and displaying.
 
 	@package dokeos.blogs
-============================================================================== 
+==============================================================================
 */
 
 // name of the language file that needs to be included
@@ -39,21 +39,21 @@ require_once(api_get_path(LIBRARY_PATH) . "blog.lib.php");
 $nameTools = get_lang("blog_management");
 
 
-// showing the header if we are not in the learning path, if we are in 
-// the learning path, we do not include the banner so we have to explicitly 
+// showing the header if we are not in the learning path, if we are in
+// the learning path, we do not include the banner so we have to explicitly
 // include the stylesheet, which is normally done in the header
-if ($_GET['origin'] != 'learnpath') 
-{ 	
+if ($_GET['origin'] != 'learnpath')
+{
 	Display::display_header($nameTools,'Blogs');
 }
-else 
+else
 {
 	echo "<link rel=\"stylesheet\" type=\"text/css\" href=\"".$clarolineRepositoryWeb."css/default.css\"/>";
 }
 /*
 ==============================================================================
 	PROCESSING..
-============================================================================== 
+==============================================================================
 */
 if ($_POST['new_blog_submit'])
 {
@@ -61,22 +61,22 @@ if ($_POST['new_blog_submit'])
 }
 if ($_POST['edit_blog_submit'])
 {
-	Blog::edit_blog(mysql_real_escape_string($_POST['blog_id']),mysql_real_escape_string($_POST['blog_name']),mysql_real_escape_string($_POST['blog_subtitle']));
+	Blog::edit_blog(mysql_real_escape_string((int)$_POST['blog_id']),mysql_real_escape_string($_POST['blog_name']),mysql_real_escape_string($_POST['blog_subtitle']));
 }
 if ($_GET['action'] == 'visibility')
-{	
-	Blog::change_blog_visibility(mysql_real_escape_string($_GET['blog_id']));
+{
+	Blog::change_blog_visibility(mysql_real_escape_string((int)$_GET['blog_id']));
 }
 if ($_GET['action'] == 'delete')
 {
-	Blog::delete_blog(mysql_real_escape_string($_GET['blog_id']));
+	Blog::delete_blog(mysql_real_escape_string((int)$_GET['blog_id']));
 }
 
 
 /*
 ==============================================================================
 	DISPLAY
-============================================================================== 
+==============================================================================
 */
 api_display_tool_title($nameTools);
 //api_introductionsection(TOOL_BLOG);
@@ -88,7 +88,7 @@ api_display_tool_title($nameTools);
 	}
 	if ($_GET['action'] == 'edit')
 	{
-		Blog::display_edit_blog_form(mysql_real_escape_string($_GET['blog_id']));
+		Blog::display_edit_blog_form(mysql_real_escape_string((int)$_GET['blog_id']));
 	}
 
 	echo "<a href='".$_SERVER['PHP_SELF']."?action=add'>",