[Mrbs-commits] SF.net Hg: hg-code [6e0aa8dfd402]: Parameterised SQL in header

[MRBS commits]

Changeset:
        6e0aa8dfd402
        
https://sourceforge.net/p/mrbs/hg-code/ci/6e0aa8dfd402eac7ced710cfc7e4092167009229
Author:
        John Beranek <jbera...@users.sourceforge.net>
Date:
        Sat Sep 17 13:29:14 2016 +0100
Log message:

Parameterised SQL in header

diffstat:

 web/Themes/default/header.inc |  8 ++++++--
 1 files changed, 6 insertions(+), 2 deletions(-)

diffs (26 lines):

diff -r 31b95cb1598a -r 6e0aa8dfd402 web/Themes/default/header.inc
--- a/web/Themes/default/header.inc     Sat Sep 17 12:57:14 2016 +0100
+++ b/web/Themes/default/header.inc     Sat Sep 17 13:29:14 2016 +0100
@@ -151,6 +151,9 @@
         if ($approval_somewhere && (authGetUserLevel($user) >= 1))
         {
           $sql_approval_enabled = some_area_predicate('approval_enabled');
+
+          $sql_params = array();
+
           // Find out how many bookings are awaiting approval
           // (but only for areas where approval is required)
           $sql = "SELECT COUNT(*)
@@ -164,9 +167,10 @@
           if (!$is_admin)
           {
             // Ordinary users can only see their own
-            $sql .= " AND create_by='" . sql_escape($user) . "'";
+            $sql .= " AND create_by=?";
+            $sql_params[] = $user;
           }
-          $n_outstanding = sql_query1($sql);
+          $n_outstanding = sql_query1($sql, $sql_params);
           if ($n_outstanding < 0)
           {
             fatal_error(FALSE, get_vocab("fatal_db_error"));

------------------------------------------------------------------------------
_______________________________________________
Mrbs-commits mailing list
Mrbs-commits@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mrbs-commits