From 6bede2fd229395f34c321a37efa2ea93e7b1a7ba Mon Sep 17 00:00:00 2001
From: Philip Häusler <msquare@notrademark.de>
Date: Sun, 28 Dec 2014 13:44:56 +0100
Subject: harden the sql queries

---
 includes/model/ShiftEntry_model.php | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

(limited to 'includes/model/ShiftEntry_model.php')

diff --git a/includes/model/ShiftEntry_model.php b/includes/model/ShiftEntry_model.php
index 5129f15a..1579b93b 100644
--- a/includes/model/ShiftEntry_model.php
+++ b/includes/model/ShiftEntry_model.php
@@ -16,7 +16,7 @@ function ShiftEntries_by_shift($shift_id) {
       FROM `ShiftEntry`
       JOIN `User` ON `ShiftEntry`.`UID`=`User`.`UID`
       JOIN `AngelTypes` ON `ShiftEntry`.`TID`=`AngelTypes`.`id`
-      WHERE `ShiftEntry`.`SID`=" . sql_escape($shift_id));
+      WHERE `ShiftEntry`.`SID`='" . sql_escape($shift_id)) . "'";
 }
 
 /**
@@ -27,12 +27,12 @@ function ShiftEntries_by_shift($shift_id) {
 function ShiftEntry_create($shift_entry) {
   mail_shift_assign(User($shift_entry['UID']), Shift($shift_entry['SID']));
   return sql_query("INSERT INTO `ShiftEntry` SET
-      `SID`=" . sql_escape($shift_entry['SID']) . ",
-      `TID`=" . sql_escape($shift_entry['TID']) . ",
-      `UID`=" . sql_escape($shift_entry['UID']) . ",
+      `SID`='" . sql_escape($shift_entry['SID']) . "',
+      `TID`='" . sql_escape($shift_entry['TID']) . "',
+      `UID`='" . sql_escape($shift_entry['UID']) . "',
       `Comment`='" . sql_escape($shift_entry['Comment']) . "',
       `freeload_comment`='" . sql_escape($shift_entry['freeload_comment']) . "',
-      `freeloaded`=" . sql_escape($shift_entry['freeloaded'] ? 'TRUE' : 'FALSE'));
+      `freeloaded`=" . sql_bool($shift_entry['freeloaded']));
 }
 
 /**
@@ -42,15 +42,15 @@ function ShiftEntry_update($shift_entry) {
   return sql_query("UPDATE `ShiftEntry` SET
       `Comment`='" . sql_escape($shift_entry['Comment']) . "',
       `freeload_comment`='" . sql_escape($shift_entry['freeload_comment']) . "',
-      `freeloaded`=" . sql_escape($shift_entry['freeloaded'] ? 'TRUE' : 'FALSE') . "
-      WHERE `id`=" . sql_escape($shift_entry['id']));
+      `freeloaded`=" . sql_bool($shift_entry['freeloaded']) . "
+      WHERE `id`='" . sql_escape($shift_entry['id']) . "'");
 }
 
 /**
  * Get a shift entry.
  */
 function ShiftEntry($shift_entry_id) {
-  $shift_entry = sql_select("SELECT * FROM `ShiftEntry` WHERE `id`=" . sql_escape($shift_entry_id));
+  $shift_entry = sql_select("SELECT * FROM `ShiftEntry` WHERE `id`='" . sql_escape($shift_entry_id) . "'");
   if ($shift_entry === false)
     return false;
   if (count($shift_entry) == 0)
@@ -64,7 +64,7 @@ function ShiftEntry($shift_entry_id) {
 function ShiftEntry_delete($shift_entry_id) {
   $shift_entry = ShiftEntry($shift_entry_id);
   mail_shift_removed(User($shift_entry['UID']), Shift($shift_entry['SID']));
-  return sql_query("DELETE FROM `ShiftEntry` WHERE `id`=" . sql_escape($shift_entry_id));
+  return sql_query("DELETE FROM `ShiftEntry` WHERE `id`='" . sql_escape($shift_entry_id) . "'");
 }
 
 /**
-- 
cgit v1.2.3-54-g00ecf