Change esc.. to real_esc
parent
3bfb275679
commit
73014ed1ac
|
@ -39,7 +39,7 @@ if (isset($_POST["txt"]) && isset($_POST["tim"])) {
|
|||
include "../connect.php";
|
||||
|
||||
$mysql_table = MYSQL_TABLE;
|
||||
$qry = "INSERT INTO `$mysql_table` (`id`, `txt`, `tim`) VALUES (NULL, '".mysqli_escape_string(nl2br($txt.$extrl))."', '".mysqli_escape_string($tim)."')";
|
||||
$qry = "INSERT INTO `$mysql_table` (`id`, `txt`, `tim`) VALUES (NULL, '".mysqli_real_escape_string(nl2br($txt.$extrl))."', '".mysqli_real_escape_string($tim)."')";
|
||||
$result = mysqli_query($db, $qry);
|
||||
|
||||
if (!$result) {
|
||||
|
|
|
@ -5,7 +5,7 @@ include 'checklogin.php';
|
|||
include "connect.php";
|
||||
|
||||
$mysql_table = MYSQL_TABLE;
|
||||
$qry="SELECT * FROM `$mysql_table` WHERE `id`='".mysqli_escape_string($_GET["id"])."'";
|
||||
$qry="SELECT * FROM `$mysql_table` WHERE `id`='".mysqli_real_escape_string($_GET["id"])."'";
|
||||
$result=mysqli_query($db, $qry);
|
||||
if($result) {
|
||||
if(mysqli_num_rows($result) == 1) {
|
||||
|
|
2
get.php
2
get.php
|
@ -5,7 +5,7 @@ include 'checklogin.php';
|
|||
include "connect.php";
|
||||
|
||||
$mysql_table = MYSQL_TABLE;
|
||||
$qry="SELECT * FROM `$mysql_table` ORDER BY `$mysql_table`.`id` ASC LIMIT ".mysqli_escape_string($_GET["lastid"])." , 1000";
|
||||
$qry="SELECT * FROM `$mysql_table` ORDER BY `$mysql_table`.`id` ASC LIMIT ".mysqli_real_escape_string($_GET["lastid"])." , 1000";
|
||||
$result=mysqli_query($db, $qry);
|
||||
$newlastid=$_GET["lastid"];
|
||||
$jspo=array();
|
||||
|
|
4
like.php
4
like.php
|
@ -8,7 +8,7 @@ $stars=0;
|
|||
$starred="";
|
||||
|
||||
$mysql_table = MYSQL_TABLE;
|
||||
$qrya="SELECT * FROM `$mysql_table` WHERE `id`='".mysqli_escape_string($_GET["id"])."'";
|
||||
$qrya="SELECT * FROM `$mysql_table` WHERE `id`='".mysqli_real_escape_string($_GET["id"])."'";
|
||||
$resulta=mysqli_query($db, $qrya);
|
||||
if($resulta) {
|
||||
if(mysqli_num_rows($resulta) == 1) {
|
||||
|
@ -20,7 +20,7 @@ if($resulta) {
|
|||
$stars=$stars+1;
|
||||
|
||||
if (isset($_GET["plusone"])) {
|
||||
$qryb="UPDATE `$mysql_table` SET `pluses`='".($stars)."' WHERE `id`='".mysqli_escape_string($_GET["id"])."'";
|
||||
$qryb="UPDATE `$mysql_table` SET `pluses`='".($stars)."' WHERE `id`='".mysqli_real_escape_string($_GET["id"])."'";
|
||||
$resultb=mysqli_query($db, $qryb);
|
||||
if($resultb) {
|
||||
$starred="Thanks for a ★! ";
|
||||
|
|
Loading…
Reference in New Issue