bike
/
Yellow-Bike-Database-Mirror
mirror of https://github.com/fspc/Yellow-Bike-Database.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Fixed a bug found by Drew Gatlin using GetSQLValueString. 

This uses addslashes() to escape comments.

Drew discovered the bug while entering a comment in the PS shop.  He is studying at Civil Engineering at WVU.  Drew actually began his journey at YBD - http://www.crazyguyonabike.com/directory/?user=JGatlin  - now that is pretty cosmic.  :)

My name is Drew, or John depending on whom you ask. I'm currently "taking some time off" and touring throughout the southwestern United States -- I might venture into Mexico at some point in the next couple of months. Before I began this journey I lived in Austin, TX for most of my young life and attended Hendrix College in Conway, AR for a year and a half. In Austin I spent(/spend whenever I go back) a lot of time at the Austin Yellow Bike Project (YBP) and just recently got to know those over at Bikes Across Borders (BAB). In fact, I did my first tour with BAB in January of this year (2008) from Austin to Nuevo Laredo, Mexico. My experience with YBP led me to help start a bike project in Conway called Back In The Saddle Bike Collective in January 2007. The organization is currently thriving and operating out of two storage units and brings me much happiness. I'll continue working with them when I head back to school in the fall of 2008. For now, all I want to do is tour as long as possible. I expect I'll be able to keep it up at least until May, and I hope to be able to head into Mexico before it's all over.
devel
Jonathan Rosenbaum 10 years ago
parent
5b42c9da3f
commit
b4387774d7
1 changed files with 6 additions and 4 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 10
      contact_add_edit.php

10
contact_add_edit.php
View File

@ -68,8 +68,8 @@ $editFormAction = "?contact_id={$contact_id}&shop_id={$shop_id}";
if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) {
/* Discover if submitted contact creation attempt is new.
There should be at least a first and last name.
/* Discover if submitted contact creation attempt a new
or existing contact.
*/
mysql_select_db($database_YBDB, $YBDB);
@ -220,9 +220,11 @@ if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) {
// insert as update? But it works.
if ($_POST['comments']) {
$comments = $_POST['comments'];
$comments_escaped = GetSQLValueString($comments, "text");
$sql = "INSERT INTO selections (contact_id, selection, selection_value)
VALUES (" . $submitted_contact_id . ", 1,'" . $_POST['comments'] . "');";
$result = mysql_query($sql, $YBDB) or die(mysql_error());
VALUES (" . $submitted_contact_id . ", 1," . $comments_escaped . ");";
$result = mysql_query($sql, $YBDB) or die(mysql_error());
}
if ($_POST['contact_id_entry'] == 'new_contact' || $_POST['contact_id_entry'] == $submitted_contact_id){

Write Preview
Loading…
Cancel
Save