From 42d6aac89b897f2dedd5a938e597d551152c7a60 Mon Sep 17 00:00:00 2001
From: Simon
Date: Mon, 18 Apr 2011 15:31:39 +0200
Subject: FilterLibrary - Escapen von Argumenten

---
 library/Pbs/Filter.php | 32 ++++++++++++++++----------------
 1 file changed, 16 insertions(+), 16 deletions(-)

(limited to 'library')

diff --git a/library/Pbs/Filter.php b/library/Pbs/Filter.php
index 5231e59..cb6233a 100644
--- a/library/Pbs/Filter.php
+++ b/library/Pbs/Filter.php
@@ -75,8 +75,8 @@ class Pbs_Filter{
 			$ipAdress = str_replace(".","",$this->fillIP($ipAdress));				
 			$stmt = $db->query("SELECT * FROM pbs_filterentries fe, pbs_filter f WHERE 
 								fe.filtertypeID  = ".$filtertypID." AND
-								REPLACE(fe.filtervalue,'.','') <= '".$ipAdress."' AND
-								'".$ipAdress."' <= REPLACE(fe.filtervalue2,'.','') AND
+								REPLACE(fe.filtervalue,'.','') <= '".mysql_real_escape_string($ipAdress)."' AND
+								'".mysql_real_escape_string($ipAdress)."' <= REPLACE(fe.filtervalue2,'.','') AND
 								fe.filterID = f.filterID AND
 								f.groupID = '".$groupID."'");
 								
@@ -102,8 +102,8 @@ class Pbs_Filter{
 				$macAdress = $this->fillMac($macAdress);			
 				$stmt = $db->query("SELECT * FROM pbs_filterentries fe, pbs_filter f WHERE 
 								fe.filtertypeID  = ".$filtertypID." AND
-								fe.filtervalue <= '".$macAdress."' AND
-								'".$macAdress."' <= fe.filtervalue2 AND
+								fe.filtervalue <= '".mysql_real_escape_string($macAdress)."' AND
+								'".mysql_real_escape_string($macAdress)."' <= fe.filtervalue2 AND
 								fe.filterID = f.filterID AND
 								f.groupID = '".$groupID."'");
 								
@@ -132,7 +132,7 @@ class Pbs_Filter{
 			try{
 				$stmt = $db->query("SELECT * FROM pbs_filterentries fe, pbs_filter f WHERE 
 								fe.filtertypeID  = ".$filtertypID." AND
-								fe.filtervalue = ".$poolID." AND
+								fe.filtervalue = ".mysql_real_escape_string($poolID)." AND
 								fe.filterID = f.filterID AND
 								f.groupID = '".$groupID."'");			
 				$result = $stmt->fetchAll();
@@ -157,7 +157,7 @@ class Pbs_Filter{
 			try{
 				$stmt = $db->query("SELECT * FROM pbs_filterentries fe, pbs_filter f WHERE 
 								fe.filtertypeID  = ".$filtertypID." AND
-								fe.filtervalue = ".$clientID." AND
+								fe.filtervalue = ".mysql_real_escape_string($clientID)." AND
 								fe.filterID = f.filterID AND
 								f.groupID = '".$groupID."'");
 								
@@ -180,7 +180,7 @@ class Pbs_Filter{
 			try{
 				$stmt = $db->query("SELECT * FROM pbs_filterentries fe, pbs_filter f WHERE 
 								fe.filtertypeID  = ".$filtertypID." AND
-								fe.filtervalue = ".$bootisoID." AND
+								fe.filtervalue = ".mysql_real_escape_string($bootisoID)." AND
 								fe.filterID = f.filterID AND
 								f.groupID = '".$groupID."'");
 				$result = $stmt->fetchAll();
@@ -204,7 +204,7 @@ class Pbs_Filter{
 				try{
 					$stmt = $db->query("SELECT * FROM pbs_filterentries fe, pbs_filter f WHERE 
 									fe.filtertypeID  = ".$filtertypID." AND
-									fe.filtervalue = ".$membershipID." AND
+									fe.filtervalue = ".mysql_real_escape_string($membershipID)." AND
 									fe.filterID = f.filterID AND
 									f.groupID = '".$groupID."'");
 					$result = $stmt->fetchAll();
@@ -231,7 +231,7 @@ class Pbs_Filter{
 				try{
 					$stmt = $db->query("SELECT * FROM pbs_filterentries fe, pbs_filter f WHERE 
 									fe.filtertypeID  = ".$filtertypID." AND
-									fe.filtervalue = ".$membergroupID." AND
+									fe.filtervalue = ".mysql_real_escape_string($membergroupID)." AND
 									fe.filterID = f.filterID AND
 									f.groupID = '".$groupID."'");
 					$result = $stmt->fetchAll();
@@ -259,8 +259,8 @@ class Pbs_Filter{
 	
 				$stmt = $db->query('SELECT * FROM pbs_filterentries fe, pbs_filter f WHERE 
 									fe.filtertypeID  = '.$filtertypID.' AND
-									REPLACE(fe.filtervalue,":","") <= '.$nowShort.' AND
-									REPLACE(fe.filtervalue2,":","") >= '.$nowShort." AND
+									REPLACE(fe.filtervalue,":","") <= '.mysql_real_escape_string($nowShort).' AND
+									REPLACE(fe.filtervalue2,":","") >= '.mysql_real_escape_string($nowShort)." AND
 									fe.filterID = f.filterID AND
 									f.groupID = '".$groupID."'");	
 				$result = $stmt->fetchAll();
@@ -286,7 +286,7 @@ class Pbs_Filter{
 			try{
 				$stmt = $db->query("SELECT * FROM pbs_filterentries fe, pbs_filter f WHERE 
 								fe.filtertypeID  = ".$filtertypID." AND
-								fe.filtervalue = ".$hardwarehash." AND
+								fe.filtervalue = ".mysql_real_escape_string($hardwarehash)." AND
 								fe.filterID = f.filterID AND
 								f.groupID = '".$groupID."'");
 				$result = $stmt->fetchAll();				
@@ -309,8 +309,8 @@ class Pbs_Filter{
 			try{
 				$stmt = $db->query("SELECT * FROM pbs_filterentries fe, pbs_filter f WHERE 
 								fe.filtertypeID  = ".$filtertypID." AND
-								fe.filtervalue <= ".$weekday." AND
-								".$weekday." <= fe.filtervalue2 AND
+								fe.filtervalue <= ".mysql_real_escape_string($weekday)." AND
+								".mysql_real_escape_string($weekday)." <= fe.filtervalue2 AND
 								fe.filterID = f.filterID AND
 								f.groupID = '".$groupID."'");
 				$result = $stmt->fetchAll();	
@@ -332,8 +332,8 @@ class Pbs_Filter{
 			try{
 				$stmt = $db->query("SELECT * FROM pbs_filterentries fe, pbs_filter f WHERE 
 								fe.filtertypeID  = ".$filtertypID." AND
-								REPLACE(fe.filtervalue,'.','') <= ".$date." AND
-								".$date." <= REPLACE(fe.filtervalue2,'.','') <=  AND
+								REPLACE(fe.filtervalue,'.','') <= ".mysql_real_escape_string($date)." AND
+								".mysql_real_escape_string($date)." <= REPLACE(fe.filtervalue2,'.','') <=  AND
 								fe.filterID = f.filterID AND
 								f.groupID = '".$groupID."'");
 				$result = $stmt->fetchAll();	
-- 
cgit v1.2.3-55-g7522