Changeset:
6e0aa8dfd402
https://sourceforge.net/p/mrbs/hg-code/ci/6e0aa8dfd402eac7ced710cfc7e4092167009229
Author:
John Beranek <[email protected]>
Date:
Sat Sep 17 13:29:14 2016 +0100
Log message:
Parameterised SQL in header
diffstat:
web/Themes/default/header.inc | 8 ++++++--
1 files changed, 6 insertions(+), 2 deletions(-)
diffs (26 lines):
diff -r 31b95cb1598a -r 6e0aa8dfd402 web/Themes/default/header.inc
--- a/web/Themes/default/header.inc Sat Sep 17 12:57:14 2016 +0100
+++ b/web/Themes/default/header.inc Sat Sep 17 13:29:14 2016 +0100
@@ -151,6 +151,9 @@
if ($approval_somewhere && (authGetUserLevel($user) >= 1))
{
$sql_approval_enabled = some_area_predicate('approval_enabled');
+
+ $sql_params = array();
+
// Find out how many bookings are awaiting approval
// (but only for areas where approval is required)
$sql = "SELECT COUNT(*)
@@ -164,9 +167,10 @@
if (!$is_admin)
{
// Ordinary users can only see their own
- $sql .= " AND create_by='" . sql_escape($user) . "'";
+ $sql .= " AND create_by=?";
+ $sql_params[] = $user;
}
- $n_outstanding = sql_query1($sql);
+ $n_outstanding = sql_query1($sql, $sql_params);
if ($n_outstanding < 0)
{
fatal_error(FALSE, get_vocab("fatal_db_error"));
------------------------------------------------------------------------------
_______________________________________________
Mrbs-commits mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/mrbs-commits
