From 5d9335fe183a0486c593975c45c2abe6875ab719 Mon Sep 17 00:00:00 2001
From: Daniel Friesel <derf@finalrewind.org>
Date: Fri, 3 Jun 2011 20:24:36 +0200
Subject: admin_questions: More templates + sql fixes

---
 includes/pages/admin_language.php | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

(limited to 'includes/pages/admin_language.php')

diff --git a/includes/pages/admin_language.php b/includes/pages/admin_language.php
index a866528e..749cd643 100644
--- a/includes/pages/admin_language.php
+++ b/includes/pages/admin_language.php
@@ -72,19 +72,29 @@ function admin_language() {
 		foreach ($_POST as $k => $v) {
 			if ($k != "TextID") {
 				$sql_test = "SELECT * FROM `Sprache` " .
-				"WHERE `TextID`='" . $_POST["TextID"] . "' AND `Sprache`='$k'";
+				"WHERE `TextID`='" . sql_escape($_POST["TextID"])
+				. "' AND `Sprache`='"
+				. sql_escape($k) . "'";
+
 				$erg_test = sql_query($sql_test);
 
 				if (mysql_num_rows($erg_test) == 0) {
 					$sql_save = "INSERT INTO `Sprache` (`TextID`, `Sprache`, `Text`) " .
-					"VALUES ('" . $_POST["TextID"] . "', '$k', '$v')";
+					"VALUES ('" . sql_escape($_POST["TextID"]) . "', '"
+					. sql_escape($k) . "', '"
+					. sql_escape($v) . "')";
+
 					$html .= $sql_save . "<br />";
 					$Erg = sql_query($sql_save);
 					$html .= success("$k Save: OK<br />\n");
 				} else
 					if (mysql_result($erg_test, 0, "Text") != $v) {
-						$sql_save = "UPDATE `Sprache` SET `Text`='$v' " .
-						"WHERE `TextID`='" . $_POST["TextID"] . "' AND `Sprache`='$k' ";
+						$sql_save = "UPDATE `Sprache` SET `Text`='"
+						. sql_escape($v) . "' " .
+						"WHERE `TextID`='"
+						. sql_escape($_POST["TextID"])
+						. "' AND `Sprache`='" . sql_escape($k) . "' ";
+
 						$html .= $sql_save . "<br />";
 						$Erg = sql_query($sql_save);
 						$html .= success(" $k Update: OK<br />\n");
-- 
cgit v1.2.3-54-g00ecf