diff options
author | Philip Häusler <msquare@notrademark.de> | 2014-12-28 13:44:56 +0100 |
---|---|---|
committer | Philip Häusler <msquare@notrademark.de> | 2014-12-28 13:44:56 +0100 |
commit | 6bede2fd229395f34c321a37efa2ea93e7b1a7ba (patch) | |
tree | a20c74d5bdddae9e1ec9a988e1ba468371a4a995 /includes/pages/user_settings.php | |
parent | a6ab81b834fe91b0f0704a7db33e377c8dc63a23 (diff) |
harden the sql queries
Diffstat (limited to 'includes/pages/user_settings.php')
-rw-r--r-- | includes/pages/user_settings.php | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/includes/pages/user_settings.php b/includes/pages/user_settings.php index 0d569661..20ed3468 100644 --- a/includes/pages/user_settings.php +++ b/includes/pages/user_settings.php @@ -82,11 +82,11 @@ function user_settings() { `DECT`='" . sql_escape($dect) . "', `Handy`='" . sql_escape($mobile) . "', `email`='" . sql_escape($mail) . "', - `email_shiftinfo`=" . sql_escape($email_shiftinfo ? 'TRUE' : 'FALSE') . ", + `email_shiftinfo`='" . sql_escape($email_shiftinfo ? 'TRUE' : 'FALSE') . "', `jabber`='" . sql_escape($jabber) . "', `Size`='" . sql_escape($tshirt_size) . "', `Hometown`='" . sql_escape($hometown) . "' - WHERE `UID`=" . sql_escape($user['UID'])); + WHERE `UID`='" . sql_escape($user['UID']) . "'"); success(_("Settings saved.")); redirect(page_link_to('user_settings')); @@ -114,7 +114,7 @@ function user_settings() { $ok = false; if ($ok) { - sql_query("UPDATE `User` SET `color`='" . sql_escape($selected_theme) . "' WHERE `UID`=" . sql_escape($user['UID'])); + sql_query("UPDATE `User` SET `color`='" . sql_escape($selected_theme) . "' WHERE `UID`='" . sql_escape($user['UID']) . "'"); success(_("Theme changed.")); redirect(page_link_to('user_settings')); @@ -128,7 +128,7 @@ function user_settings() { $ok = false; if ($ok) { - sql_query("UPDATE `User` SET `Sprache`='" . sql_escape($selected_language) . "' WHERE `UID`=" . sql_escape($user['UID'])); + sql_query("UPDATE `User` SET `Sprache`='" . sql_escape($selected_language) . "' WHERE `UID`='" . sql_escape($user['UID']) . "'"); $_SESSION['locale'] = $selected_language; success("Language changed."); |