From db2d2d1f41ba372b825fd51ed65ed8c6f6fa4305 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Thu, 3 Dec 2015 17:33:05 +0100 Subject: add missing escape, thanks P.Allaert --- zoom.php | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'zoom.php') diff --git a/zoom.php b/zoom.php index 8e5dee6..699f22f 100644 --- a/zoom.php +++ b/zoom.php @@ -100,7 +100,7 @@ if ( !isset($name) || !$name ) { FROM rpm LEFT JOIN packagist ON (packagist.rpmname=rpm.name) INNER JOIN repo ON (repo.main=rpm.repo_main AND repo.sub=rpm.repo_sub) - WHERE rpm.name='$name' + WHERE rpm.name=" . $uptable->escape($name) . " ORDER BY repo.id DESC, CAST(SUBSTRING_INDEX(rpm.ver,'.',1) AS SIGNED) DESC, CAST(SUBSTRING_INDEX(SUBSTRING_INDEX(rpm.ver,'.',2),'.',-1) AS SIGNED) DESC, @@ -112,9 +112,9 @@ if ( !isset($name) || !$name ) { $resrpm = $db->query($sql); $rpm = ($resrpm ? $resrpm->fetchObject() : false); - $up = $uptable->find(array('name'=>$name)); + $up = $uptable->find(array('name' => $name)); - $sql = "SELECT * FROM acls WHERE name = '$name'"; + $sql = "SELECT * FROM acls WHERE name = " . $uptable->escape($name); $resown=$db->query($sql); $owner = ($resown ? $resown->fetchObject() : false); @@ -125,6 +125,9 @@ if ( !isset($name) || !$name ) { $smarty->assign('page_title', 'Package: ' . $name); } + $summary = array(); + $packages = array(); + $fedpkg = false; if (!$rpm) { echo "

$name not found

\n"; } else { -- cgit