bike/Yellow-Bike-Database-Mirror
1
0
Fork 0
mirror of https://github.com/fspc/Yellow-Bike-Database.git synced 2025-02-22 00:53:22 -05:00
Code Issues Projects Releases Wiki Activity

Fixed a bug found by Drew Gatlin using GetSQLValueString.

Browse Source 
This uses addslashes() to escape comments.

Drew discovered the bug while entering a comment in the PS shop.  He is studying at Civil Engineering at WVU.  Drew actually began his journey at YBD - http://www.crazyguyonabike.com/directory/?user=JGatlin  - now that is pretty cosmic.  :)

My name is Drew, or John depending on whom you ask. I'm currently "taking some time off" and touring throughout the southwestern United States -- I might venture into Mexico at some point in the next couple of months. Before I began this journey I lived in Austin, TX for most of my young life and attended Hendrix College in Conway, AR for a year and a half. In Austin I spent(/spend whenever I go back) a lot of time at the Austin Yellow Bike Project (YBP) and just recently got to know those over at Bikes Across Borders (BAB). In fact, I did my first tour with BAB in January of this year (2008) from Austin to Nuevo Laredo, Mexico. My experience with YBP led me to help start a bike project in Conway called Back In The Saddle Bike Collective in January 2007. The organization is currently thriving and operating out of two storage units and brings me much happiness. I'll continue working with them when I head back to school in the fall of 2008. For now, all I want to do is tour as long as possible. I expect I'll be able to keep it up at least until May, and I hope to be able to head into Mexico before it's all over.
This commit is contained in:
Jonathan Rosenbaum 2015-05-05 07:51:05 +00:00
parent 5b42c9da3f
commit b4387774d7
1 changed files with 6 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
contact_add_edit.php
View File

@ -68,8 +68,8 @@ $editFormAction = "?contact_id={$contact_id}&shop_id={$shop_id}";
if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) {
/* Discover if submitted contact creation attempt is new.
There should be at least a first and last name.
/* Discover if submitted contact creation attempt a new
or existing contact.
*/
mysql_select_db($database_YBDB, $YBDB);
@ -220,9 +220,11 @@ if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) {
// insert as update? But it works.
if ($_POST['comments']) {
$comments = $_POST['comments'];
$comments_escaped = GetSQLValueString($comments, "text");
$sql = "INSERT INTO selections (contact_id, selection, selection_value)
VALUES (" . $submitted_contact_id . ", 1,'" . $_POST['comments'] . "');";
$result = mysql_query($sql, $YBDB) or die(mysql_error());
VALUES (" . $submitted_contact_id . ", 1," . $comments_escaped . ");";
$result = mysql_query($sql, $YBDB) or die(mysql_error());
}
if ($_POST['contact_id_entry'] == 'new_contact' || $_POST['contact_id_entry'] == $submitted_contact_id){