[Mrbs-commits] SF.net SVN: mrbs:[1122] mrbs/trunk/web

Fri, 19 Jun 2009 14:58:08 -0700 

Revision: 1122
          http://mrbs.svn.sourceforge.net/mrbs/?rev=1122&view=rev
Author:   jberanek
Date:     2009-06-19 21:58:03 +0000 (Fri, 19 Jun 2009)

Log Message:
-----------
* Removed unnecessary SQL escaping. When sql_syntax_caseless_contains()
 is used you don't need to use addslashes() as
 sql_syntax_caseless_contains() escaping the string itself. Added notes
 to this effect where sql_syntax_caseless_contains() is used.

Modified Paths:
--------------
    mrbs/trunk/web/report.php
    mrbs/trunk/web/search.php

Modified: mrbs/trunk/web/report.php
===================================================================
--- mrbs/trunk/web/report.php   2009-06-19 21:10:10 UTC (rev 1121)
+++ mrbs/trunk/web/report.php   2009-06-19 21:58:03 UTC (rev 1122)
@@ -609,11 +609,13 @@
 
   if (!empty($areamatch))
   {
-    $sql .= " AND" .  sql_syntax_caseless_contains("a.area_name", 
addslashes($areamatch));
+    // sql_syntax_caseless_contains() does the SQL escaping
+    $sql .= " AND" .  sql_syntax_caseless_contains("a.area_name", $areamatch);
   }
   if (!empty($roommatch))
   {
-    $sql .= " AND" .  sql_syntax_caseless_contains("r.room_name", 
addslashes($roommatch));
+    // sql_syntax_caseless_contains() does the SQL escaping
+    $sql .= " AND" .  sql_syntax_caseless_contains("r.room_name", $roommatch);
   }
   if (!empty($typematch))
   {
@@ -634,15 +636,18 @@
   }
   if (!empty($namematch))
   {
-    $sql .= " AND" .  sql_syntax_caseless_contains("e.name", 
addslashes($namematch));
+    // sql_syntax_caseless_contains() does the SQL escaping
+    $sql .= " AND" .  sql_syntax_caseless_contains("e.name", $namematch);
   }
   if (!empty($descrmatch))
   {
-    $sql .= " AND" .  sql_syntax_caseless_contains("e.description", 
addslashes($descrmatch));
+    // sql_syntax_caseless_contains() does the SQL escaping
+    $sql .= " AND" .  sql_syntax_caseless_contains("e.description", 
$descrmatch);
   }
   if (!empty($creatormatch))
   {
-    $sql .= " AND" .  sql_syntax_caseless_contains("e.create_by", 
addslashes($creatormatch));
+    // sql_syntax_caseless_contains() does the SQL escaping
+    $sql .= " AND" .  sql_syntax_caseless_contains("e.create_by", 
$creatormatch);
   }
 
   # If not overriding as public entries and user isn't and admin...

Modified: mrbs/trunk/web/search.php
===================================================================
--- mrbs/trunk/web/search.php   2009-06-19 21:10:10 UTC (rev 1121)
+++ mrbs/trunk/web/search.php   2009-06-19 21:58:03 UTC (rev 1122)
@@ -90,9 +90,11 @@
 $now = mktime(0, 0, 0, $month, $day, $year);
 
 // This is the main part of the query predicate, used in both queries:
-$sql_pred = "( " . sql_syntax_caseless_contains("E.create_by", 
addslashes($search_str))
-  . " OR " . sql_syntax_caseless_contains("E.name", addslashes($search_str))
-  . " OR " . sql_syntax_caseless_contains("E.description", 
addslashes($search_str))
+// NOTE: sql_syntax_caseless_contains() does the SQL escaping
+    
+$sql_pred = "( " . sql_syntax_caseless_contains("E.create_by", $search_str)
+  . " OR " . sql_syntax_caseless_contains("E.name", $search_str)
+  . " OR " . sql_syntax_caseless_contains("E.description", $search_str)
   . ") AND E.end_time > $now";
 
 # Unless we overriding privacy settings as "public" or user


This was sent by the SourceForge.net collaborative development platform, the 
world's largest Open Source development site.

------------------------------------------------------------------------------
Are you an open source citizen? Join us for the Open Source Bridge conference!
Portland, OR, June 17-19. Two days of sessions, one day of unconference: $250.
Need another reason to go? 24-hour hacker lounge. Register today!
http://ad.doubleclick.net/clk;215844324;13503038;v?http://opensourcebridge.org
_______________________________________________
Mrbs-commits mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/mrbs-commits

Reply via email to