diff options
author | Simon Rettberg | 2014-06-11 16:12:54 +0200 |
---|---|---|
committer | Simon Rettberg | 2014-06-11 16:12:54 +0200 |
commit | 5b5332d38c8651cb1532d4142834adb816384526 (patch) | |
tree | 3d990840bcae055ea05465e02d6e2f5e93459fbc /modules/news.inc.php | |
parent | 1) Improve Taskmanager error handling 2) add uptime display to status page, f... (diff) | |
download | slx-admin-5b5332d38c8651cb1532d4142834adb816384526.tar.gz slx-admin-5b5332d38c8651cb1532d4142834adb816384526.tar.xz slx-admin-5b5332d38c8651cb1532d4142834adb816384526.zip |
[news] Fix SQL injection
Diffstat (limited to 'modules/news.inc.php')
-rw-r--r-- | modules/news.inc.php | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/modules/news.inc.php b/modules/news.inc.php index 2f9aa985..4ec6fddd 100644 --- a/modules/news.inc.php +++ b/modules/news.inc.php @@ -73,13 +73,14 @@ class Page_News extends Page { // check to see if we need to request a specific newsid if ($this->newsId !== false) { - $whereClause = "WHERE newsid = $this->newsId "; + $row = Database::queryFirst("SELECT newsid, title, content, dateline FROM news WHERE newsid = :newsid LIMIT 1", array( + 'newsid' => $this->newsId + )); } else { - $whereClause = ""; + $row = Database::queryFirst("SELECT newsid, title, content, dateline FROM news ORDER BY dateline DESC LIMIT 1"); } // fetch the news to be shown - $row = Database::queryFirst("SELECT * FROM news $whereClause ORDER BY dateline DESC LIMIT 1"); if ($row !== false) { $this->newsTitle = $row['title']; $this->newsContent = $row['content']; |