Browse Source

Wow, escape_string needs $db...

master
Ambrose Chua 6 years ago
parent
commit
6e10f2f5d1
  1. 7
      admin/index.php
  2. 2
      detail.php
  3. 2
      get.php
  4. 4
      like.php

7
admin/index.php

@ -8,7 +8,8 @@ $allok = 2;
$txt=$_POST["txt"];
$tim=$_POST["tim"];
$txt = preg_replace("#((http|https|ftp)://(\S*?\.\S*?))(\s|\;|\)|\]|\[|\{|\}|,|\"|'|:|\<|$|\.\s)#ie", "'<a href=\"$1\" target=\"_blank\">http://$3</a>$4'", $txt);
// Broken for some reason.
//$txt = preg_replace("#((http|https|ftp)://(\S*?\.\S*?))(\s|\;|\)|\]|\[|\{|\}|,|\"|'|:|\<|$|\.\s)#ie", "'<a href=\"$1\" target=\"_blank\">http://$3</a>$4'", $txt);
$txt = Parsedown::instance()->parse($txt);
@ -34,12 +35,12 @@ die("File upload error");
}
if (isset($_POST["txt"]) && isset($_POST["tim"])) {
if (isset($txt) && isset($tim)) {
include "../connect.php";
$mysql_table = MYSQL_TABLE;
$qry = "INSERT INTO `$mysql_table` (`id`, `txt`, `tim`) VALUES (NULL, '".mysqli_real_escape_string(nl2br($txt.$extrl))."', '".mysqli_real_escape_string($tim)."')";
$qry = "INSERT INTO `$mysql_table` (`id`, `txt`, `tim`) VALUES (NULL, '".mysqli_real_escape_string($db, nl2br($txt.$extrl))."', '".mysqli_real_escape_string($db, $tim)."')";
$result = mysqli_query($db, $qry);
if (!$result) {

2
detail.php

@ -5,7 +5,7 @@ include 'checklogin.php';
include "connect.php";
$mysql_table = MYSQL_TABLE;
$qry="SELECT * FROM `$mysql_table` WHERE `id`='".mysqli_real_escape_string($_GET["id"])."'";
$qry="SELECT * FROM `$mysql_table` WHERE `id`='".mysqli_real_escape_string($db, $_GET["id"])."'";
$result=mysqli_query($db, $qry);
if($result) {
if(mysqli_num_rows($result) == 1) {

2
get.php

@ -5,7 +5,7 @@ include 'checklogin.php';
include "connect.php";
$mysql_table = MYSQL_TABLE;
$qry="SELECT * FROM `$mysql_table` ORDER BY `$mysql_table`.`id` ASC LIMIT ".mysqli_real_escape_string($_GET["lastid"])." , 1000";
$qry="SELECT * FROM `$mysql_table` ORDER BY `$mysql_table`.`id` ASC LIMIT ".mysqli_real_escape_string($db, $_GET["lastid"])." , 1000";
$result=mysqli_query($db, $qry);
$newlastid=$_GET["lastid"];
$jspo=array();

4
like.php

@ -8,7 +8,7 @@ $stars=0;
$starred="";
$mysql_table = MYSQL_TABLE;
$qrya="SELECT * FROM `$mysql_table` WHERE `id`='".mysqli_real_escape_string($_GET["id"])."'";
$qrya="SELECT * FROM `$mysql_table` WHERE `id`='".mysqli_real_escape_string($db, $_GET["id"])."'";
$resulta=mysqli_query($db, $qrya);
if($resulta) {
if(mysqli_num_rows($resulta) == 1) {
@ -20,7 +20,7 @@ if($resulta) {
$stars=$stars+1;
if (isset($_GET["plusone"])) {
$qryb="UPDATE `$mysql_table` SET `pluses`='".($stars)."' WHERE `id`='".mysqli_real_escape_string($_GET["id"])."'";
$qryb="UPDATE `$mysql_table` SET `pluses`='".($stars)."' WHERE `id`='".mysqli_real_escape_string($db, $_GET["id"])."'";
$resultb=mysqli_query($db, $qryb);
if($resultb) {
$starred="Thanks for a ★! ";

Loading…
Cancel
Save