Changeset 383

Show
Ignore:
Timestamp:
2009-12-09 14:38:31 (2 years ago)
Author:
hannes
Message:

bugfix: ampersands in category or forum names

Files:

Legend:

Unmodified
Added
Removed
Modified
Copied
Moved

  • trunk/admin/classes/pages/Addcategory.php

    r205 r383  
    4949                // add category 
    5050                $q = $C->prepare('INSERT INTO ' . $SETTINGS['dbtableprefix'] . 'categories (category_name, category_order) VALUES (:cat, :order)'); 
    51                 $q->bindParam(':cat', $INPUT['newcategory'], PDO::PARAM_STR); 
     51                $q->bindParam(':cat', $F->htmlentities($INPUT['newcategory'], TRUE), PDO::PARAM_STR); 
    5252                $q->bindParam(':order', $neworder, PDO::PARAM_INT, 12); 
    5353                $q->execute(); 

  • trunk/admin/classes/pages/Addforum.php

    r205 r383  
    4949                // add forum 
    5050                $q = $C->prepare('INSERT INTO ' . $SETTINGS['dbtableprefix'] . 'forums (forumtitle, forumdescription, forum_category, forum_order) VALUES (:title, :desc, :id, :order)'); 
    51                 $q->bindParam(':title', $INPUT['newcategory'], PDO::PARAM_STR); 
    52                 $q->bindParam(':desc', $INPUT['all'], PDO::PARAM_STR); 
     51                $q->bindParam(':title', $F->htmlentities($INPUT['newcategory'], TRUE), PDO::PARAM_STR); 
     52                $q->bindParam(':desc', $F->htmlentities($INPUT['all'], TRUE), PDO::PARAM_STR); 
    5353                $q->bindParam(':id', $INPUT['id'], PDO::PARAM_INT, 12); 
    5454                $q->bindParam(':order', $neworder, PDO::PARAM_INT, 12); 

  • trunk/admin/classes/pages/Modifycategory.php

    r205 r383  
    4949                    // update (just do it regardless of whether anything has actually changed 
    5050                    $q = $C->prepare('UPDATE ' . $SETTINGS['dbtableprefix'] . 'categories SET category_name = :name, category_order = :order WHERE category_id = :id'); 
    51                     $q->bindParam(':name', $INPUT['newcategoryname'][$row['category_id']], PDO::PARAM_STR); 
    52                     $q->bindParam(':order', $INPUT['newcategoryorder'][$row['category_id']], PDO::PARAM_INT, 12); 
     51                    $q->bindParam(':name', $F->htmlentities($INPUT['newcategoryname'][$row['category_id']], TRUE), PDO::PARAM_STR); 
     52                    $q->bindParam(':order', $F->htmlentities($INPUT['newcategoryorder'][$row['category_id']], TRUE), PDO::PARAM_INT, 12); 
    5353                    $q->bindParam(':id', $row['category_id'], PDO::PARAM_INT, 12); 
    5454                    $q->execute(); 

  • trunk/admin/classes/pages/Modifyforum.php

    r205 r383  
    4949                    // update settings in database regardless of whether there actually have been any changes 
    5050                    $q = $C->prepare('UPDATE ' . $SETTINGS['dbtableprefix'] . 'forums SET forumtitle = :title, forumdescription = :desc, forum_category = :cat, forum_order = :order WHERE forumid = :id'); 
    51                     $q->bindParam(':title', $INPUT['newforum'][$row['forumid']], PDO::PARAM_INT, 12); 
    52                     $q->bindParam(':desc', $INPUT['newdesc'][$row['forumid']], PDO::PARAM_STR); 
     51                    $q->bindParam(':title', $F->htmlentities($INPUT['newforum'][$row['forumid']], TRUE), PDO::PARAM_INT, 12); 
     52                    $q->bindParam(':desc', $F->htmlentities($INPUT['newdesc'][$row['forumid']], TRUE), PDO::PARAM_STR); 
    5353                    $q->bindParam(':cat', $INPUT['tocategory'][$row['forumid']], PDO::PARAM_INT, 12); 
    5454                    $q->bindParam(':order', $INPUT['newcategoryorder'][$row['forumid']], PDO::PARAM_INT, 12);