[evolvis-commits] r13432: Merged from 4.8: use db_query_params() instead of db_query() to prevent potential injection problems

mirabilos at evolvis.org mirabilos at evolvis.org
Mon Feb 28 02:36:15 CET 2011


Author: mirabilos
Date: 2011-02-28 02:36:14 +0100 (Mon, 28 Feb 2011)
New Revision: 13432

Modified:
   trunk/gforge_base/evolvisforge-5.1/gforge/www/include/logger.php
Log:
Merged from 4.8: use db_query_params() instead of db_query() to prevent potential injection problems

Modified: trunk/gforge_base/evolvisforge-5.1/gforge/www/include/logger.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/gforge/www/include/logger.php	2011-02-28 01:36:12 UTC (rev 13431)
+++ trunk/gforge_base/evolvisforge-5.1/gforge/www/include/logger.php	2011-02-28 01:36:14 UTC (rev 13432)
@@ -112,11 +112,11 @@
 
 $sql =	"INSERT INTO activity_log "
 	. "(day,hour,group_id,browser,ver,platform,time,page,type) "
-	. "VALUES (" . date('Ymd', mktime()) . ",'" . date('H', mktime())
-	. "','$log_group','" . browser_get_agent() . "','" . browser_get_version() 
-	. "','" . browser_get_platform() . "','" . time() . "','".getStringFromServer('PHP_SELF')."','0');";
+	. "VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9);";
 
-$res_logger = db_query ( $sql );
+$res_logger = db_query_params ($sql, array(date('Ymd'), date('H'),
+	$log_group, browser_get_agent(), browser_get_version(), browser_get_platform(),
+	time(), getStringFromServer('PHP_SELF'), '0'));
 
 //
 //	temp hack



More information about the evolvis-commits mailing list