From a52ee4a288ec57c2983173460237e4137440a873 Mon Sep 17 00:00:00 2001 From: cookie Date: Mon, 4 Dec 2006 19:54:51 +0000 Subject: SQL injektion behoben git-svn-id: svn://svn.cccv.de/engel-system@198 29ba0400-6e00-0410-a75a-ca02368028f8 --- www-ssl/admin/news.php | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'www-ssl/admin/news.php') diff --git a/www-ssl/admin/news.php b/www-ssl/admin/news.php index 137695b3..83e64a4a 100755 --- a/www-ssl/admin/news.php +++ b/www-ssl/admin/news.php @@ -9,7 +9,7 @@ include ("./inc/funktion_user.php"); if (!IsSet($_GET["action"])) { - $SQL = "SELECT * from News order by Datum DESC"; + $SQL = "SELECT * FROM `News` ORDER BY `Datum` DESC"; $Erg = mysql_query($SQL, $con); $rowcount = mysql_num_rows($Erg); @@ -52,7 +52,7 @@ else case 'change': if (isset($_GET["date"])) { - $SQL = "SELECT * from News where (Datum='". $_GET["date"]. "')"; + $SQL = "SELECT * FROM `News` WHERE (`Datum`='". $_GET["date"]. "')"; $Erg = mysql_query($SQL, $con); if( mysql_num_rows( $Erg)==1) @@ -91,15 +91,15 @@ else case 'change_save': if( isset($_GET["date"]) && isset($_GET["eBetreff"]) && isset($_GET["eText"]) ) - $chsql="UPDATE News set Betreff = \"". $_GET["eBetreff"]. "\", Text = \"". $_GET["eText"]. - "\", Treffen=". $_GET["eTreffen"]. " where (Datum = '". $_GET["date"]. "') limit 1"; + $chsql="UPDATE `News` SET `Betreff`='". $_GET["eBetreff"]. "', `Text`='". $_GET["eText"]. + "', `Treffen`='". $_GET["eTreffen"]. "' WHERE (`Datum`='". $_GET["date"]. "') limit 1"; else echo "Fehler: nicht genügend parameter übergeben"; break; case 'delete': if (isset($_POST["date"])) - $chsql="DELETE from News where Datum = '". $_POST["date"]. "' limit 1"; + $chsql="DELETE FROM 'News' WHERE `Datum`='". $_POST["date"]. "' LIMIT 1"; else echo "Fehler: \"date\" nicht übergeben"; break; -- cgit v1.2.3-70-g09d2