}
//does user exist?
$un=$_POST["adminuser"];
- $usr=$db->select("users","uname","uname='".addslashes($un)."'");
+ $usr=$db->select("users","uname","uname=".$db->escapeString($un));
if(count($usr)>0){
print("Error: User already exists.<p>");
break;
{
global $db;
if($amt<=0){
- $db->deleteRows("cart_ticket","cartid='".addslashes($this->cartid)."' and eventid=".$this->eventid);
+ $db->deleteRows("cart_ticket","cartid=".$db->escapeString($this->cartid)." and eventid=".$this->eventid);
$this->amount=0;
}else{
- $db->update("cart_ticket",array("amount"=>($amt+0)),"cartid='".addslashes($this->cartid)."' and eventid=".$this->eventid);
+ $db->update("cart_ticket",array("amount"=>($amt+0)),"cartid=".$db->escapeString($this->cartid)." and eventid=".$this->eventid);
$this->amount=$amt;
}
}
//generate ID
$id=getRandom(128);
//check it does not exist
- $res=$db->select("cart","cartid","cartid='".addslashes($id)."'");
+ $res=$db->select("cart","cartid","cartid=".$db->escapeString($id));
if(count($res)==0){
$this->cartid=$id;
break;
$db->commitTransaction();
}else{
//check that cart exists
- $res=$db->select("cart","cartid","cartid='".addslashes($id)."'");
+ $res=$db->select("cart","cartid","cartid=".$db->escapeString($id));
if(count($res)>0)$this->cartid=$id;
}
}
public function getTickets()
{
if($this->cartid===false)return array();
- $res=$db->select("cart_ticket","*","where cartid='".addslashed($this->cartid)."'");
+ $res=$db->select("cart_ticket","*","where cartid=".$db->escapeString($this->cartid));
$ret=array();
if(count($res)>0)
foreach($res as $k=>$tc)
if($tpa[0]=="defaultstr"){
if(count($tpa)<2)
return "DEFAULT NULL";
- return "DEFAULT '".addslashes($tpa[1])."'";
+ return "DEFAULT ".$this->escapeString($tpa[1]);
}
}
/**returns a configuration setting*/
public function getConfig($key)
{
- $mar=$this->select("config","cval","ckey='".addslashes($key)."'");
+ $mar=$this->select("config","cval","ckey=".$this->escapeString($key));
if(count($mar)>0)return $mar[0][0];
return false;
}
public function setConfig($key,$val)
{
$this->beginTransaction();
- $mar=$this->select("config","cval","ckey='".addslashes($key)."'");
- if(count($mar)>0)$this->update("config",array("cval"=>$val),"ckey='".addslashes($key)."'");
+ $mar=$this->select("config","cval","ckey=".$this->escapeString($key));
+ if(count($mar)>0)$this->update("config",array("cval"=>$val),"ckey=".$this->escapeString($key));
else $this->insert("config",array("ckey"=>$key,"cval"=>$val));
$this->commitTransaction();
}
{
return mysql_error();
}
+
+ /**escapes strings; it uses mysql_escape_string and encloses the value in ''*/
+ public function escapeString($s)
+ {
+ if($s === false) return "NULL";
+ return "'".mysql_real_escape_string($s)."'";
+ }
};
\ No newline at end of file
return;
}
$db->beginTransaction();
- $res=$db->select("room","roomid","roomid='".addslashes($room)."'");
+ $res=$db->select("room","roomid","roomid=".$db->escapeString($room));
if(count($res)<1){
//end DB transaction
$db->rollbackTransaction();
projects / web/konrad/smoke.git / commitdiff