Skip to content

Commit

Permalink
Fixing early Database::escape_string see BT#9269
Browse files Browse the repository at this point in the history
  • Loading branch information
@jmontoyaa
jmontoyaa committed Jan 15, 2015
1 parent 589e001 commit 3463b04
Showing 1 changed file with 17 additions and 15 deletions.
32 changes: 17 additions & 15 deletions main/inc/lib/usermanager.lib.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1530,8 +1530,6 @@ public static function update_extra_field_value($user_id, $fname, $fvalue = '')
$fvalues = $fvalue;
}

$fvalues = Database::escape_string($fvalues);

$sqluf = "SELECT * FROM $t_uf WHERE field_variable='$fname'";
$resuf = Database::query($sqluf);
$is_extra_file = false;
Expand All @@ -1546,9 +1544,9 @@ public static function update_extra_field_value($user_id, $fname, $fvalue = '')
UserManager::process_tags(explode(';', $fvalues), $user_id, $rowuf['id']);
return true;
break;
case self::USER_FIELD_TYPE_SELECT_MULTIPLE :
/*case self::USER_FIELD_TYPE_SELECT_MULTIPLE :
// check code from UserManager::update_user_picture() to use something similar here
break;
break;*/
case self::USER_FIELD_TYPE_RADIO:
case self::USER_FIELD_TYPE_SELECT:
case self::USER_FIELD_TYPE_SELECT_MULTIPLE:
Expand Down Expand Up @@ -1610,7 +1608,7 @@ public static function update_extra_field_value($user_id, $fname, $fvalue = '')
$rowufv = Database::fetch_array($resufv);
if ($rowufv['field_value'] != $fvalues) {
$sqlu = "UPDATE $t_ufv SET
field_value = '$fvalues',
field_value = '".Database::escape_string($fvalues)."',
tms = FROM_UNIXTIME($tms)
WHERE id = ".$rowufv['id'];
$resu = Database::query($sqlu);
Expand All @@ -1624,7 +1622,11 @@ public static function update_extra_field_value($user_id, $fname, $fvalue = '')
if ($rowufv['field_value'] != $fvalues) {
if ($is_extra_file) {
// To remove from user folder
self::remove_user_extra_file($user_id, $fname, $rowufv['field_value']);
self::remove_user_extra_file(
$user_id,
$fname,
$rowufv['field_value']
);
}
// If the new field is empty, delete it
if ($fvalues == '') {
Expand All @@ -1633,7 +1635,7 @@ public static function update_extra_field_value($user_id, $fname, $fvalue = '')
} else {
// Otherwise update it
$sql_query = "UPDATE $t_ufv SET
field_value = '$fvalues',
field_value = '".Database::escape_string($fvalues)."',
tms = FROM_UNIXTIME($tms)
WHERE id = ".$rowufv['id'];
}
Expand All @@ -1644,10 +1646,10 @@ public static function update_extra_field_value($user_id, $fname, $fvalue = '')

return true;
} else {
$sqli = "INSERT INTO $t_ufv (user_id,field_id,field_value,tms)
VALUES ( $user_id, ".$rowuf['id'].", '$fvalues', FROM_UNIXTIME($tms))";
$resi = Database::query($sqli);
return ($resi ? true : false);
$sql = "INSERT INTO $t_ufv (user_id,field_id,field_value,tms)
VALUES ( $user_id, ".$rowuf['id'].", '".Database::escape_string($fvalues)."', FROM_UNIXTIME($tms))";
$res = Database::query($sql);
return $res ? true : false;
}
} else {
// Field not found
Expand Down Expand Up @@ -3491,12 +3493,12 @@ public static function add_tag($tag, $user_id, $field_id)
if ($tag_id == 0) {
//the tag doesn't exist
$sql = "INSERT INTO $table_user_tag (tag, field_id,count) VALUES ('$tag','$field_id', count + 1)";
$result = Database::query($sql);
$last_insert_id = Database::get_last_insert_id();
Database::query($sql);
$last_insert_id = Database::insert_id();
} else {
//the tag exists we update it
$sql = "UPDATE $table_user_tag SET count = count + 1 WHERE id = $tag_id";
$result = Database::query($sql);
Database::query($sql);
$last_insert_id = $tag_id;
}

Expand All @@ -3507,7 +3509,7 @@ public static function add_tag($tag, $user_id, $field_id)
//if the relationship does not exist we create it
if (Database::num_rows($result) == 0) {
$sql = "INSERT INTO $table_user_tag_values SET user_id = $user_id, tag_id = $last_insert_id";
$result = Database::query($sql);
Database::query($sql);
}
}
}
Expand Down

0 comments on commit 3463b04

Please sign in to comment.