AS1024/itflow
1
0
Fork 0
mirror of https://github.com/itflow-org/itflow synced 2026-03-07 22:34:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

Added more mysql escapes to more get vars

Browse Source
This commit is contained in:
johnny@pittpc.com
2019-08-28 22:01:22 -04:00
parent 2d5ac7c2e6
commit 720a0df214
1 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
guest_post.php
View File

@@ -9,7 +9,7 @@ require_once $mpdf_path . '/vendor/autoload.php';
if(isset($_GET['pdf_invoice'], $_GET['url_key'])){ if(isset($_GET['pdf_invoice'], $_GET['url_key'])){
$invoice_id = intval($_GET['pdf_invoice']); $invoice_id = intval($_GET['pdf_invoice']);
$url_key = $_GET['url_key']; $url_key = mysqli_real_escape_string($mysqli,$_GET['url_key']);
$sql = mysqli_query($mysqli,"SELECT * FROM invoices, clients $sql = mysqli_query($mysqli,"SELECT * FROM invoices, clients
WHERE invoices.client_id = clients.client_id WHERE invoices.client_id = clients.client_id
@@ -231,7 +231,7 @@ if(isset($_GET['pdf_invoice'], $_GET['url_key'])){
if(isset($_GET['pdf_quote'], $_GET['url_key'])){ if(isset($_GET['pdf_quote'], $_GET['url_key'])){
$quote_id = intval($_GET['pdf_quote']); $quote_id = intval($_GET['pdf_quote']);
$url_key = $_GET['url_key']; $url_key = mysqli_real_escape_string($mysqli,$_GET['url_key']);
$sql = mysqli_query($mysqli,"SELECT * FROM quotes, clients $sql = mysqli_query($mysqli,"SELECT * FROM quotes, clients
WHERE quotes.client_id = clients.client_id WHERE quotes.client_id = clients.client_id
@@ -428,7 +428,7 @@ if(isset($_GET['pdf_quote'], $_GET['url_key'])){
if(isset($_GET['approve_quote'], $_GET['url_key'])){ if(isset($_GET['approve_quote'], $_GET['url_key'])){
$quote_id = intval($_GET['approve_quote']); $quote_id = intval($_GET['approve_quote']);
$url_key = $_GET['url_key']; $url_key = mysqli_real_escape_string($mysqli,$_GET['url_key']);
$sql = mysqli_query($mysqli,"SELECT * FROM quotes $sql = mysqli_query($mysqli,"SELECT * FROM quotes
WHERE quotes.quote_id = $quote_id WHERE quotes.quote_id = $quote_id
@@ -453,7 +453,7 @@ if(isset($_GET['approve_quote'], $_GET['url_key'])){
if(isset($_GET['reject_quote'], $_GET['url_key'])){ if(isset($_GET['reject_quote'], $_GET['url_key'])){
$quote_id = intval($_GET['reject_quote']); $quote_id = intval($_GET['reject_quote']);
$url_key = $_GET['url_key']; $url_key = mysqli_real_escape_string($mysqli,$_GET['url_key']);
$sql = mysqli_query($mysqli,"SELECT * FROM quotes $sql = mysqli_query($mysqli,"SELECT * FROM quotes
WHERE quotes.quote_id = $quote_id WHERE quotes.quote_id = $quote_id