appdb/include tableve.php
WineHQ
wineowner at wine.codeweavers.com
Tue Apr 24 18:36:11 CDT 2007
ChangeSet ID: 31102
CVSROOT: /opt/cvs-commit
Module name: appdb
Changes by: wineowner at winehq.org 2007/04/24 18:36:10
Modified files:
include : tableve.php
Log message:
Alexander Nicolaysen Sørnes <alex at thehandofagony.com>
Fix TableVE::make_option_list's where handling to prevent sql injection
Patch: http://cvs.winehq.org/patch.py?id=31102
Old revision New revision Changes Path
1.13 1.14 +15 -9 appdb/include/tableve.php
Index: appdb/include/tableve.php
diff -u -p appdb/include/tableve.php:1.13 appdb/include/tableve.php:1.14
--- appdb/include/tableve.php:1.13 24 Apr 2007 23:36:10 -0000
+++ appdb/include/tableve.php 24 Apr 2007 23:36:10 -0000
@@ -171,23 +171,29 @@ class TableVE {
echo html_frame_end();
}
- function make_option_list($varname, $cvalue, $table, $idField, $nameField, $where = "")
+ function make_option_list($sVarname, $sCvalue, $sTable, $sIdField, $sNameField, $aWhere = null)
{
- $hResult = query_parameters("SELECT ?, ? FROM ? ? ORDER BY '?'",
- $idField, $nameField, $table, $where, $nameField);
+ /* We do not allow direct insertion into of SQL code, so the WHERE clause is
+ is accepted in an array form, where the first element is the variable
+ and the second is the value it must be equal to */
+ if($aWhere)
+ $sWhere = "WHERE ".$aWhere[0]." ='".$aWhere[1]."'";
+
+ $hResult = query_parameters("SELECT ?, ? FROM ? $sWhere ORDER BY '?'",
+ $sIdField, $sNameField, $sTable, $sNameField);
if(!$hResult)
return; // Oops
- echo "<select name='$varname'>\n";
+ echo "<select name='$sVarname'>\n";
echo "<option value=0>Choose ...</option>\n";
- while(list($id, $name) = mysql_fetch_row($hResult))
+ while(list($iId, $sName) = mysql_fetch_row($hResult))
{
- if ($name == "NONAME")
+ if ($sName == "NONAME")
continue;
- if($id == $cvalue)
- echo "<option value=$id selected>$name\n";
+ if($iId == $sCvalue)
+ echo "<option value=$iId selected>$sName\n";
else
- echo "<option value=$id>$name\n";
+ echo "<option value=$iId>$sName\n";
}
echo "</select>\n";
}
More information about the wine-cvs
mailing list