diff options
author | Simon | 2011-04-18 15:31:39 +0200 |
---|---|---|
committer | Simon | 2011-04-18 15:31:39 +0200 |
commit | 42d6aac89b897f2dedd5a938e597d551152c7a60 (patch) | |
tree | 4404b45d5f7759de7c22532ee033c08b4c13aa5c /library | |
parent | PersonController Eigene DEtails dürfen immer angezeigt werden (diff) | |
download | pbs2-42d6aac89b897f2dedd5a938e597d551152c7a60.tar.gz pbs2-42d6aac89b897f2dedd5a938e597d551152c7a60.tar.xz pbs2-42d6aac89b897f2dedd5a938e597d551152c7a60.zip |
FilterLibrary - Escapen von Argumenten
Diffstat (limited to 'library')
-rw-r--r-- | library/Pbs/Filter.php | 32 |
1 files changed, 16 insertions, 16 deletions
diff --git a/library/Pbs/Filter.php b/library/Pbs/Filter.php index 5231e59..cb6233a 100644 --- a/library/Pbs/Filter.php +++ b/library/Pbs/Filter.php @@ -75,8 +75,8 @@ class Pbs_Filter{ $ipAdress = str_replace(".","",$this->fillIP($ipAdress)); $stmt = $db->query("SELECT * FROM pbs_filterentries fe, pbs_filter f WHERE fe.filtertypeID = ".$filtertypID." AND - REPLACE(fe.filtervalue,'.','') <= '".$ipAdress."' AND - '".$ipAdress."' <= REPLACE(fe.filtervalue2,'.','') AND + REPLACE(fe.filtervalue,'.','') <= '".mysql_real_escape_string($ipAdress)."' AND + '".mysql_real_escape_string($ipAdress)."' <= REPLACE(fe.filtervalue2,'.','') AND fe.filterID = f.filterID AND f.groupID = '".$groupID."'"); @@ -102,8 +102,8 @@ class Pbs_Filter{ $macAdress = $this->fillMac($macAdress); $stmt = $db->query("SELECT * FROM pbs_filterentries fe, pbs_filter f WHERE fe.filtertypeID = ".$filtertypID." AND - fe.filtervalue <= '".$macAdress."' AND - '".$macAdress."' <= fe.filtervalue2 AND + fe.filtervalue <= '".mysql_real_escape_string($macAdress)."' AND + '".mysql_real_escape_string($macAdress)."' <= fe.filtervalue2 AND fe.filterID = f.filterID AND f.groupID = '".$groupID."'"); @@ -132,7 +132,7 @@ class Pbs_Filter{ try{ $stmt = $db->query("SELECT * FROM pbs_filterentries fe, pbs_filter f WHERE fe.filtertypeID = ".$filtertypID." AND - fe.filtervalue = ".$poolID." AND + fe.filtervalue = ".mysql_real_escape_string($poolID)." AND fe.filterID = f.filterID AND f.groupID = '".$groupID."'"); $result = $stmt->fetchAll(); @@ -157,7 +157,7 @@ class Pbs_Filter{ try{ $stmt = $db->query("SELECT * FROM pbs_filterentries fe, pbs_filter f WHERE fe.filtertypeID = ".$filtertypID." AND - fe.filtervalue = ".$clientID." AND + fe.filtervalue = ".mysql_real_escape_string($clientID)." AND fe.filterID = f.filterID AND f.groupID = '".$groupID."'"); @@ -180,7 +180,7 @@ class Pbs_Filter{ try{ $stmt = $db->query("SELECT * FROM pbs_filterentries fe, pbs_filter f WHERE fe.filtertypeID = ".$filtertypID." AND - fe.filtervalue = ".$bootisoID." AND + fe.filtervalue = ".mysql_real_escape_string($bootisoID)." AND fe.filterID = f.filterID AND f.groupID = '".$groupID."'"); $result = $stmt->fetchAll(); @@ -204,7 +204,7 @@ class Pbs_Filter{ try{ $stmt = $db->query("SELECT * FROM pbs_filterentries fe, pbs_filter f WHERE fe.filtertypeID = ".$filtertypID." AND - fe.filtervalue = ".$membershipID." AND + fe.filtervalue = ".mysql_real_escape_string($membershipID)." AND fe.filterID = f.filterID AND f.groupID = '".$groupID."'"); $result = $stmt->fetchAll(); @@ -231,7 +231,7 @@ class Pbs_Filter{ try{ $stmt = $db->query("SELECT * FROM pbs_filterentries fe, pbs_filter f WHERE fe.filtertypeID = ".$filtertypID." AND - fe.filtervalue = ".$membergroupID." AND + fe.filtervalue = ".mysql_real_escape_string($membergroupID)." AND fe.filterID = f.filterID AND f.groupID = '".$groupID."'"); $result = $stmt->fetchAll(); @@ -259,8 +259,8 @@ class Pbs_Filter{ $stmt = $db->query('SELECT * FROM pbs_filterentries fe, pbs_filter f WHERE fe.filtertypeID = '.$filtertypID.' AND - REPLACE(fe.filtervalue,":","") <= '.$nowShort.' AND - REPLACE(fe.filtervalue2,":","") >= '.$nowShort." AND + REPLACE(fe.filtervalue,":","") <= '.mysql_real_escape_string($nowShort).' AND + REPLACE(fe.filtervalue2,":","") >= '.mysql_real_escape_string($nowShort)." AND fe.filterID = f.filterID AND f.groupID = '".$groupID."'"); $result = $stmt->fetchAll(); @@ -286,7 +286,7 @@ class Pbs_Filter{ try{ $stmt = $db->query("SELECT * FROM pbs_filterentries fe, pbs_filter f WHERE fe.filtertypeID = ".$filtertypID." AND - fe.filtervalue = ".$hardwarehash." AND + fe.filtervalue = ".mysql_real_escape_string($hardwarehash)." AND fe.filterID = f.filterID AND f.groupID = '".$groupID."'"); $result = $stmt->fetchAll(); @@ -309,8 +309,8 @@ class Pbs_Filter{ try{ $stmt = $db->query("SELECT * FROM pbs_filterentries fe, pbs_filter f WHERE fe.filtertypeID = ".$filtertypID." AND - fe.filtervalue <= ".$weekday." AND - ".$weekday." <= fe.filtervalue2 AND + fe.filtervalue <= ".mysql_real_escape_string($weekday)." AND + ".mysql_real_escape_string($weekday)." <= fe.filtervalue2 AND fe.filterID = f.filterID AND f.groupID = '".$groupID."'"); $result = $stmt->fetchAll(); @@ -332,8 +332,8 @@ class Pbs_Filter{ try{ $stmt = $db->query("SELECT * FROM pbs_filterentries fe, pbs_filter f WHERE fe.filtertypeID = ".$filtertypID." AND - REPLACE(fe.filtervalue,'.','') <= ".$date." AND - ".$date." <= REPLACE(fe.filtervalue2,'.','') <= AND + REPLACE(fe.filtervalue,'.','') <= ".mysql_real_escape_string($date)." AND + ".mysql_real_escape_string($date)." <= REPLACE(fe.filtervalue2,'.','') <= AND fe.filterID = f.filterID AND f.groupID = '".$groupID."'"); $result = $stmt->fetchAll(); |