escape user data to sql

This commit is contained in:
fabrixxm 2015-08-06 16:08:14 +02:00
parent f9e61f20cc
commit e94e6d7500

View file

@ -18,7 +18,7 @@ function display_init(&$a) {
if (local_user()) {
$r = q("SELECT `id`, `parent`, `author-name`, `author-link`, `author-avatar`, `network`, `body`, `uid` FROM `item`
WHERE `item`.`visible` = 1 AND `item`.`deleted` = 0 and `item`.`moderated` = 0
AND `guid` = '%s' AND `uid` = %d", $a->argv[1], local_user());
AND `guid` = '%s' AND `uid` = %d", dbesc($a->argv[1]), local_user());
if (count($r)) {
$nick = $a->user["nickname"];
$itemuid = local_user();
@ -34,7 +34,7 @@ function display_init(&$a) {
AND `item`.`allow_cid` = '' AND `item`.`allow_gid` = ''
AND `item`.`deny_cid` = '' AND `item`.`deny_gid` = ''
AND `item`.`private` = 0 AND NOT `user`.`hidewall`
AND `item`.`guid` = '%s'", $a->argv[1]);
AND `item`.`guid` = '%s'", dbesc($a->argv[1]));
// AND `item`.`private` = 0 AND `item`.`wall` = 1
if (count($r)) {
$nick = $r[0]["nickname"];
@ -50,7 +50,7 @@ function display_init(&$a) {
AND `item`.`allow_cid` = '' AND `item`.`allow_gid` = ''
AND `item`.`deny_cid` = '' AND `item`.`deny_gid` = ''
AND `item`.`private` = 0 AND `item`.`uid` = 0
AND `item`.`guid` = '%s'", $a->argv[1]);
AND `item`.`guid` = '%s'", dbesc($a->argv[1]));
// AND `item`.`private` = 0 AND `item`.`wall` = 1
}
if (count($r)) {
@ -255,7 +255,7 @@ function display_content(&$a, $update = 0) {
if (local_user()) {
$r = q("SELECT `id` FROM `item`
WHERE `item`.`visible` = 1 AND `item`.`deleted` = 0 and `item`.`moderated` = 0
AND `guid` = '%s' AND `uid` = %d", $a->argv[1], local_user());
AND `guid` = '%s' AND `uid` = %d", dbesc($a->argv[1]), local_user());
if (count($r)) {
$item_id = $r[0]["id"];
$nick = $a->user["nickname"];
@ -268,7 +268,7 @@ function display_content(&$a, $update = 0) {
AND `item`.`allow_cid` = '' AND `item`.`allow_gid` = ''
AND `item`.`deny_cid` = '' AND `item`.`deny_gid` = ''
AND `item`.`private` = 0 AND NOT `user`.`hidewall`
AND `item`.`guid` = '%s'", $a->argv[1]);
AND `item`.`guid` = '%s'", dbesc($a->argv[1]));
// AND `item`.`private` = 0 AND `item`.`wall` = 1
if (count($r)) {
$item_id = $r[0]["id"];
@ -281,7 +281,7 @@ function display_content(&$a, $update = 0) {
AND `item`.`allow_cid` = '' AND `item`.`allow_gid` = ''
AND `item`.`deny_cid` = '' AND `item`.`deny_gid` = ''
AND `item`.`private` = 0 AND `item`.`uid` = 0
AND `item`.`guid` = '%s'", $a->argv[1]);
AND `item`.`guid` = '%s'", dbesc($a->argv[1]));
// AND `item`.`private` = 0 AND `item`.`wall` = 1
if (count($r)) {
$item_id = $r[0]["id"];