bug 1137: mysql_real_escape() fields in user_agreements although they usually are not
authorMichael Tänzer <neo@nhng.de>
Sat, 24 Aug 2013 13:30:48 +0000 (15:30 +0200)
committerMichael Tänzer <neo@nhng.de>
Sat, 24 Aug 2013 13:30:48 +0000 (15:30 +0200)
user provided, just to be sure

Signed-off-by: Michael Tänzer <neo@nhng.de>
includes/notary.inc.php

index b8cdb1b..2b7ccb6 100644 (file)
        function write_user_agreement($memid, $document, $method, $comment, $active=1, $secmemid=0){
        // write a new record to the table user_agreement
                $query="insert into `user_agreements` set `memid`=".intval($memid).", `secmemid`=".intval($secmemid).
-                       ",`document`='".$document."',`date`=NOW(), `active`=".intval($active).",`method`='".$method."',`comment`='".$comment."'" ;
+                       ",`document`='".mysql_real_escape_string($document)."',`date`=NOW(), `active`=".intval($active).",`method`='".mysql_real_escape_string($method)."',`comment`='".mysql_real_escape_string($comment)."'" ;
                $res = mysql_query($query);
        }