ambrose
/
picobloggingsys
mirror of https://github.com/serverwentdown/picobloggingsys.git
1
0
Fork 0
Code Releases Activity

Change esc.. to real_esc

master
Ambrose Chua 2016-10-31 02:15:51 +08:00
parent 3bfb275679
commit 73014ed1ac
4 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
admin/index.php
View File

@ -39,7 +39,7 @@ if (isset($_POST["txt"]) && isset($_POST["tim"])) {
include "../connect.php";
$mysql_table = MYSQL_TABLE;
$qry = "INSERT INTO `$mysql_table` (`id`, `txt`, `tim`) VALUES (NULL, '".mysqli_escape_string(nl2br($txt.$extrl))."', '".mysqli_escape_string($tim)."')";
$qry = "INSERT INTO `$mysql_table` (`id`, `txt`, `tim`) VALUES (NULL, '".mysqli_real_escape_string(nl2br($txt.$extrl))."', '".mysqli_real_escape_string($tim)."')";
$result = mysqli_query($db, $qry);
if (!$result) {

2
detail.php
View File

@ -5,7 +5,7 @@ include 'checklogin.php';
include "connect.php";
$mysql_table = MYSQL_TABLE;
$qry="SELECT * FROM `$mysql_table` WHERE `id`='".mysqli_escape_string($_GET["id"])."'";
$qry="SELECT * FROM `$mysql_table` WHERE `id`='".mysqli_real_escape_string($_GET["id"])."'";
$result=mysqli_query($db, $qry);
if($result) {
if(mysqli_num_rows($result) == 1) {

2
get.php
View File

@ -5,7 +5,7 @@ include 'checklogin.php';
include "connect.php";
$mysql_table = MYSQL_TABLE;
$qry="SELECT * FROM `$mysql_table` ORDER BY `$mysql_table`.`id` ASC LIMIT ".mysqli_escape_string($_GET["lastid"])." , 1000";
$qry="SELECT * FROM `$mysql_table` ORDER BY `$mysql_table`.`id` ASC LIMIT ".mysqli_real_escape_string($_GET["lastid"])." , 1000";
$result=mysqli_query($db, $qry);
$newlastid=$_GET["lastid"];
$jspo=array();

4
like.php
View File

@ -8,7 +8,7 @@ $stars=0;
$starred="";
$mysql_table = MYSQL_TABLE;
$qrya="SELECT * FROM `$mysql_table` WHERE `id`='".mysqli_escape_string($_GET["id"])."'";
$qrya="SELECT * FROM `$mysql_table` WHERE `id`='".mysqli_real_escape_string($_GET["id"])."'";
$resulta=mysqli_query($db, $qrya);
if($resulta) {
if(mysqli_num_rows($resulta) == 1) {
@ -20,7 +20,7 @@ if($resulta) {
$stars=$stars+1;
if (isset($_GET["plusone"])) {
$qryb="UPDATE `$mysql_table` SET `pluses`='".($stars)."' WHERE `id`='".mysqli_escape_string($_GET["id"])."'";
$qryb="UPDATE `$mysql_table` SET `pluses`='".($stars)."' WHERE `id`='".mysqli_real_escape_string($_GET["id"])."'";
$resultb=mysqli_query($db, $qryb);
if($resultb) {
$starred="Thanks for a ★! ";