joerg/homepage
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Escape texts before writing to database.

Browse Source
This commit is contained in:
Christian Steinle
2023-12-30 10:36:23 +01:00
parent 7cd0ed9f58
commit 66af0a2bb7
4 changed files with 8 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
admin/inhalte/fotos/bilder/add.php
View File

@@ -10,7 +10,7 @@ if (!isset($_POST['Speichern'])) {
<input type="file" name="Foto"/>
<br/>
<label>Bildüberschrift</label>
<input type="text" name="Text"/>
<textarea name="Text" cols="90" rows="10"></textarea>
<br/>
<input type="submit" name="Speichern" value="Speichern"/>
</form>
@@ -18,7 +18,7 @@ if (!isset($_POST['Speichern'])) {
<?php
} else {
if ('' != $_FILES['Foto']['name']) {
$Text = $_POST['Text'];
$Text = $db->real_escape_string($_POST['Text']);
$sql1 = 'INSERT INTO bilder (ID, Head) VALUES (NULL, "' . $Text . '");';
$stmt1 = $db->prepare($sql1);
if (!$stmt1) {

4
admin/inhalte/fotos/bilder/edit.php
View File

@@ -15,14 +15,14 @@ if (!isset($_POST['Speichern'])) {
<input type="hidden" name="edit" value="speichern"/>
<input type="hidden" name="id" value="<?php echo $_POST['Titel']; ?>"/>
<label>Bildüberschrift</label>
<input type="text" name="Text" value="<?php echo $nt1['Head']; ?>"/>
<textarea name="Text" cols="90" rows="10"><?php echo $nt1['Head']; ?></textarea>
<br/>
<input type="submit" name="Speichern" value="Speichern"/>
</form>
<?php
} else {
$Text = $_POST['Text'];
$Text = $db->real_escape_string($_POST['Text']);
$sql2 = 'UPDATE bilder SET Head = "' . $Text . '" WHERE ID = "' . $_POST['id'] . '";';
$stmt2 = $db->prepare($sql2);
if (!$stmt2) {

4
admin/inhalte/gb/edit.php
View File

@@ -28,8 +28,8 @@ if (!isset($_POST['Speichern'])) {
<?php
} else {
$Autor = $_POST['Autor'];
$Text = $_POST['Text'];
$Autor = $db->real_escape_string($_POST['Autor']);
$Text = $db->real_escape_string($_POST['Text']);
$Datum = $_POST['Datum'];
$sql2 = 'UPDATE gb SET Autor = "' . $Autor . '", Text = "' . $Text . '", Datum = "' . $Datum . '" WHERE ID = "' . $_POST['id'] . '";';
$stmt2 = $db->prepare($sql2);

4
admin/inhalte/gb/new.php
View File

@@ -24,8 +24,8 @@ if (!isset($_POST['Speichern'])) {
<?php
} else {
if ('' != $_FILES['Foto']['name']) {
$Autor = $_POST['Autor'];
$Text = $_POST['Text'];
$Autor = $db->real_escape_string($_POST['Autor']);
$Text = $db->real_escape_string($_POST['Text']);
$Datum = $_POST['Datum'];
$sql1 = 'INSERT INTO gb (ID, Autor, Text, Datum) VALUES (NULL, "' . $Autor . '", "' . $Text . '", "' . $Datum . '");';
$stmt1 = $db->prepare($sql1);