1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
|
diff -up ocsreports/plugins/main_sections/ms_dict/ms_dict.php.orig ocsreports/plugins/main_sections/ms_dict/ms_dict.php
--- ocsreports/plugins/main_sections/ms_dict/ms_dict.php.orig 2011-11-28 17:54:50.000000000 +0100
+++ ocsreports/plugins/main_sections/ms_dict/ms_dict.php 2011-11-28 17:55:45.000000000 +0100
@@ -37,8 +37,8 @@ if ($protectedPost['RESET']=="RESET")
unset($protectedPost['search']);
//filtre
if ($protectedPost['search']){
- $search_cache=" and cache.name like '%".mysql_escape_string($protectedPost['search'])."%' ";
- $search_count=" and extracted like '%".mysql_escape_string($protectedPost['search'])."%' ";
+ $search_cache=" and cache.name like '%".mysql_real_escape_string($protectedPost['search'])."%' ";
+ $search_count=" and extracted like '%".mysql_real_escape_string($protectedPost['search'])."%' ";
}
else{
$search="";
@@ -123,7 +123,7 @@ if ($protectedPost['onglet'] == 'CAT'){
}
$querydico=substr($querydico,0,-1);
$querydico .= " from dico_soft left join ".$table." cache on dico_soft.extracted=cache.name
- where formatted='".mysql_escape_string($list_cat[$protectedPost['onglet_soft']])."' ".$search_count." group by EXTRACTED";
+ where formatted='".mysql_real_escape_string($list_cat[$protectedPost['onglet_soft']])."' ".$search_count." group by EXTRACTED";
}
/*******************************************************CAS OF NEW*******************************************************/
if ($protectedPost['onglet'] == 'NEW'){
@@ -311,4 +311,4 @@ echo "<input type='hidden' name='RESET'
echo "<input type='hidden' name='TRANS' id='TRANS' value=''>";
echo "<input type='hidden' name='SUP_CAT' id='SUP_CAT' value=''>";
echo "</form>";
-?>
\ Pas de fin de ligne à la fin du fichier.
+?>
diff -up ocsreports/require/function_dico.php.orig ocsreports/require/function_dico.php
--- ocsreports/require/function_dico.php.orig 2011-11-28 17:56:55.000000000 +0100
+++ ocsreports/require/function_dico.php 2011-11-28 17:57:01.000000000 +0100
@@ -46,7 +46,7 @@ function trans($onglet,$list_soft,$affec
$table="softwares";
//verif is this cat exist
if ($new_cat != ''){
- $sql_verif="select extracted from dico_soft where formatted ='".mysql_escape_string($new_cat)."'";
+ $sql_verif="select extracted from dico_soft where formatted ='".mysql_real_escape_string($new_cat)."'";
$result_search_soft = mysql_query( $sql_verif, $_SESSION['OCS']["readServer"]);
$item_search_soft = mysql_fetch_object($result_search_soft);
if (isset($item_search_soft->extracted) or $new_cat == "IGNORED" or $new_cat == "UNCHANGED"){
@@ -71,10 +71,10 @@ function trans($onglet,$list_soft,$affec
}elseif($exist_cat == "UNCHANGED"){
$sql="insert dico_soft (extracted,formatted) select distinct NAME,NAME from ".$table." where ID in (".implode(",",$list_soft).")";
}else
- $sql="insert dico_soft (extracted,formatted) select distinct NAME,'".mysql_escape_string($exist_cat)."' from ".$table." where ID in (".implode(",",$list_soft).")";
+ $sql="insert dico_soft (extracted,formatted) select distinct NAME,'".mysql_real_escape_string($exist_cat)."' from ".$table." where ID in (".implode(",",$list_soft).")";
}else{
if (!isset($already_exist)){
- $sql="insert dico_soft (extracted,formatted) select distinct NAME,'".mysql_escape_string($new_cat)."' from ".$table." where ID in (".implode(",",$list_soft).")";
+ $sql="insert dico_soft (extracted,formatted) select distinct NAME,'".mysql_real_escape_string($new_cat)."' from ".$table." where ID in (".implode(",",$list_soft).")";
}else
echo "<script>alert('".$l->g(771)."')</script>";
}
diff -up ocsreports/require/function_table_html.php.orig ocsreports/require/function_table_html.php
--- ocsreports/require/function_table_html.php.orig 2011-11-28 17:57:10.000000000 +0100
+++ ocsreports/require/function_table_html.php 2011-11-28 17:57:38.000000000 +0100
@@ -163,7 +163,7 @@ function escape_string($array){
function xml_escape_string($array){
foreach ($array as $key=>$value){
$trait_array[$key]=xml_encode($value);
- //$trait_array[$key]=mysql_escape_string($value);
+ //$trait_array[$key]=mysql_real_escape_string($value);
}
return ($trait_array);
}
@@ -801,8 +801,8 @@ function onglet($def_onglets,$form_name,
$current=1;
}
}else{
- //echo "<script>alert('".mysql_escape_string(stripslashes($protectedPost[$post_name]))." => ".$key."')</script>";
- if (mysql_escape_string(stripslashes($protectedPost[$post_name])) === mysql_escape_string(stripslashes($key)) or (!isset($protectedPost[$post_name]) and $current != 1)){
+ //echo "<script>alert('".mysql_real_escape_string(stripslashes($protectedPost[$post_name]))." => ".$key."')</script>";
+ if (mysql_real_escape_string(stripslashes($protectedPost[$post_name])) === mysql_real_escape_string(stripslashes($key)) or (!isset($protectedPost[$post_name]) and $current != 1)){
echo "id='current'";
$current=1;
}
|
