From 66af0a2bb716c834106b2a0d3107bd08c5a789e1 Mon Sep 17 00:00:00 2001
From: chris <christiansteinle@arcor.de>
Date: Sat, 30 Dec 2023 10:36:23 +0100
Subject: [PATCH] Escape texts before writing to database.

---
 admin/inhalte/fotos/bilder/add.php  | 4 ++--
 admin/inhalte/fotos/bilder/edit.php | 4 ++--
 admin/inhalte/gb/edit.php           | 4 ++--
 admin/inhalte/gb/new.php            | 4 ++--
 4 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/admin/inhalte/fotos/bilder/add.php b/admin/inhalte/fotos/bilder/add.php
index 0df28ed..82f06e2 100644
--- a/admin/inhalte/fotos/bilder/add.php
+++ b/admin/inhalte/fotos/bilder/add.php
@@ -10,7 +10,7 @@ if (!isset($_POST['Speichern'])) {
         <input type="file" name="Foto"/>
         <br/>
         <label>Bildüberschrift</label>
-        <input type="text" name="Text"/>
+        <textarea name="Text" cols="90" rows="10"></textarea>
         <br/>
         <input type="submit" name="Speichern" value="Speichern"/>
     </form>
@@ -18,7 +18,7 @@ if (!isset($_POST['Speichern'])) {
     <?php
 } else {
     if ('' != $_FILES['Foto']['name']) {
-        $Text = $_POST['Text'];
+        $Text = $db->real_escape_string($_POST['Text']);
         $sql1 = 'INSERT INTO bilder (ID, Head) VALUES (NULL, "' . $Text . '");';
         $stmt1 = $db->prepare($sql1);
         if (!$stmt1) {
diff --git a/admin/inhalte/fotos/bilder/edit.php b/admin/inhalte/fotos/bilder/edit.php
index aabef6c..b46aea2 100644
--- a/admin/inhalte/fotos/bilder/edit.php
+++ b/admin/inhalte/fotos/bilder/edit.php
@@ -15,14 +15,14 @@ if (!isset($_POST['Speichern'])) {
         <input type="hidden" name="edit" value="speichern"/>
         <input type="hidden" name="id" value="<?php echo $_POST['Titel']; ?>"/>
         <label>Bildüberschrift</label>
-        <input type="text" name="Text" value="<?php echo $nt1['Head']; ?>"/>
+        <textarea name="Text" cols="90" rows="10"><?php echo $nt1['Head']; ?></textarea>
         <br/>
         <input type="submit" name="Speichern" value="Speichern"/>
     </form>
 
     <?php
 } else {
-    $Text = $_POST['Text'];
+    $Text = $db->real_escape_string($_POST['Text']);
     $sql2 = 'UPDATE bilder SET Head = "' . $Text . '" WHERE ID = "' . $_POST['id'] . '";';
     $stmt2 = $db->prepare($sql2);
     if (!$stmt2) {
diff --git a/admin/inhalte/gb/edit.php b/admin/inhalte/gb/edit.php
index aaa4eec..31e9872 100644
--- a/admin/inhalte/gb/edit.php
+++ b/admin/inhalte/gb/edit.php
@@ -28,8 +28,8 @@ if (!isset($_POST['Speichern'])) {
 
     <?php
 } else {
-    $Autor = $_POST['Autor'];
-    $Text = $_POST['Text'];
+    $Autor = $db->real_escape_string($_POST['Autor']);
+    $Text = $db->real_escape_string($_POST['Text']);
     $Datum = $_POST['Datum'];
     $sql2 = 'UPDATE gb SET Autor = "' . $Autor . '", Text = "' . $Text . '", Datum = "' . $Datum . '" WHERE ID = "' . $_POST['id'] . '";';
     $stmt2 = $db->prepare($sql2);
diff --git a/admin/inhalte/gb/new.php b/admin/inhalte/gb/new.php
index eda7154..4c5c8dd 100644
--- a/admin/inhalte/gb/new.php
+++ b/admin/inhalte/gb/new.php
@@ -24,8 +24,8 @@ if (!isset($_POST['Speichern'])) {
     <?php
 } else {
     if ('' != $_FILES['Foto']['name']) {
-        $Autor = $_POST['Autor'];
-        $Text = $_POST['Text'];
+        $Autor = $db->real_escape_string($_POST['Autor']);
+        $Text = $db->real_escape_string($_POST['Text']);
         $Datum = $_POST['Datum'];
         $sql1 = 'INSERT INTO gb (ID, Autor, Text, Datum) VALUES (NULL, "' . $Autor . '", "' . $Text . '", "' . $Datum . '");';
         $stmt1 = $db->prepare($sql1);