summaryrefslogtreecommitdiff
path: root/pages/wot/9.php
diff options
context:
space:
mode:
Diffstat (limited to 'pages/wot/9.php')
-rw-r--r--pages/wot/9.php16
1 files changed, 8 insertions, 8 deletions
diff --git a/pages/wot/9.php b/pages/wot/9.php
index b492ff6..e4fff21 100644
--- a/pages/wot/9.php
+++ b/pages/wot/9.php
@@ -28,7 +28,7 @@
$user = mysql_fetch_array($res);
$userlang = $user['language'];
$points = mysql_num_rows(mysql_query("select sum(`points`) as `total` from `notary`
- where `to`='".$user['id']."' and `deleted`=0 group by `to` HAVING SUM(`points`) > 0"));
+ where `to`='".intval($user['id'])."' and `deleted`=0 group by `to` HAVING SUM(`points`) > 0"));
if($points <= 0)
{
echo _("Sorry, I was unable to locate that user.");
@@ -38,31 +38,31 @@
?>
<? if($_SESSION['_config']['error'] != "") { ?><font color="#ff0000" size="+1">ERROR: <?=$_SESSION['_config']['error']?></font><? unset($_SESSION['_config']['error']); } ?>
<form method="post" action="wot.php">
-<input type="hidden" name="userid" value="<?=$user['id']?>">
+<input type="hidden" name="userid" value="<?=intval($user['id'])?>">
<table align="center" valign="middle" border="0" cellspacing="0" cellpadding="0" class="wrapper">
<tr>
<td colspan="2" class="title"><?=_("Contact Assurer")?></td>
</tr>
<tr>
<td class="DataTD"><?=_("To")?>:</td>
- <td class="DataTD" align="left"><?=$user['fname']?> <?=substr($user['lname'], 0, 1)?></td>
+ <td class="DataTD" align="left"><?=sanitizeHTML(trim($user['fname'].' '.substr($user['lname'], 0, 1)))?></td>
</tr>
<? if($userlang != "") { ?>
<tr>
<td class="DataTD"><?=_("Language")?>:</td>
- <td class="DataTD" align="left"><? printf(_("%s prefers to be contacted in %s"), $user['fname'], L10n::$translations[$userlang]) ?></td>
+ <td class="DataTD" align="left"><? printf(_("%s prefers to be contacted in %s"), sanitizeHTML($user['fname']), L10n::$translations[$userlang]) ?></td>
</tr>
<? } ?>
<?
- $query = "select * from `addlang` where `userid`='".$user['id']."'";
+ $query = "select * from `addlang` where `userid`='".intval($user['id'])."'";
$res = mysql_query($query);
while($row = mysql_fetch_assoc($res))
{
- $lang = mysql_fetch_assoc(mysql_query("select * from `languages` where `locale`='${row['lang']}'"));
+ $lang = mysql_fetch_assoc(mysql_query("select * from `languages` where `locale`='".mysql_real_escape_string($row['lang'])."'"));
?>
<tr>
<td class="DataTD"><?=_("Additional Language")?>:</td>
- <td class="DataTD" align="left"><? printf(_("%s will also accept email in %s - %s"), $user['fname'], $lang['lang'], $lang['country']) ?></td>
+ <td class="DataTD" align="left"><? printf(_("%s will also accept email in %s - %s"), sanitizeHTML($user['fname']), sanitizeHTML($lang['lang']), sanitizeHTML($lang['country'])) ?></td>
</tr>
<? } ?>
<tr>
@@ -79,7 +79,7 @@
</table>
<input type="hidden" name="pageid" value="<?=$_SESSION['_config']['pagehash']?>">
<input type="hidden" name="userid" value="<?=intval($_REQUEST['userid'])?>">
-<input type="hidden" name="oldid" value="<?=$id?>">
+<input type="hidden" name="oldid" value="<?=intval($id)?>">
</form>
<p>[ <a href='javascript:history.go(-1)'><?=_("Go Back")?></a> ]</p>
<? } } ?>