diff --git a/api.php b/api.php index 535b1d4..b5c3b8b 100644 --- a/api.php +++ b/api.php @@ -919,14 +919,25 @@ switch($request[0]) { */ + /* APIDOC: project/edit - post(project_id integer, projectdivisions_id integer, title varchar(255), language char(2), req_electricity enum('no', 'yes'), req_table enum('no', 'yes'), req_special varchar(128), summary text) - description(Edit an existing project. "language" notes the language a participant wishes to be judged in. "req_electricity" notes whethor or not the project requires an electrical outlet. "req_table" states whether or not the project needs a table. "req_special" is a field for special requirements.) + post(project array) + description(Edit an existing project. "language" notes the language a participant wishes to be judged in. "req_electricity" notes whethor or not the project requires an electrical outlet. "req_table" states whether or not the project needs a table. "req_special" is a field for special requirements. project array: project_id integer, projectdivisions_id integer, title varchar(255), language char(2), req_electricity enum('no', 'yes'), req_table enum('no', 'yes'), req_special varchar(128), summary text) + return(project array) */ case 'edit': - $message = saveProjectData($_POST); + $project=json_decode($_POST['project'],true); + if(!is_array($project)) { + $ret['status']="error"; + $ret['error']="project (array) is required."; + break; + } + + $message = saveProjectData($project); if($message == 'success'){ $ret['status'] = 'ok'; + //FIXME: this should getProject or something to reload whats actually in the database instead of just returning what they gave us + $ret['project'] = json_encode($project); }else{ $ret['status'] = 'error'; $ret['error'] = $message; diff --git a/register_participants.inc.php b/register_participants.inc.php index 0632b1b..f5d3585 100644 --- a/register_participants.inc.php +++ b/register_participants.inc.php @@ -549,33 +549,33 @@ function saveProjectData($data){ else $summarycountok=1; - if($config['participant_project_title_charmax'] && strlen(stripslashes($data['title']))>$config['participant_project_title_charmax']) //0 for no limit, eg 255 database field limit + if($config['participant_project_title_charmax'] && strlen($data['title'])>$config['participant_project_title_charmax']) //0 for no limit, eg 255 database field limit { - $title=substr(stripslashes($data['title']),0,$config['participant_project_title_charmax']); + $title=substr($data['title'],0,$config['participant_project_title_charmax']); $message = i18n("Project title truncated to %1 characters",array($config['participant_project_title_charmax'])); } else - $title=stripslashes($data['title']); + $title=$data['title']; if($config['participant_short_title_enable'] == 'yes' && $config['participant_short_title_charmax'] - && strlen(stripslashes($data['shorttitle']))>$config['participant_short_title_charmax']) //0 for no limit, eg 255 database field limit + && strlen($data['shorttitle'])>$config['participant_short_title_charmax']) //0 for no limit, eg 255 database field limit { - $shorttitle=substr(stripslashes($data['shorttitle']),0,$config['participant_short_title_charmax']); + $shorttitle=substr($data['shorttitle'],0,$config['participant_short_title_charmax']); $message = i18n("Short project title truncated to %1 characters",array($config['participant_short_title_charmax'])); } else - $shorttitle=stripslashes($data['shorttitle']); + $shorttitle=$data['shorttitle']; mysql_query("UPDATE projects SET " . - "title='" . mysql_escape_string($title)."', " . - "shorttitle='" . mysql_escape_string($shorttitle) . "', " . + "title='" . mysql_real_escape_string($title)."', " . + "shorttitle='" . mysql_real_escape_string($shorttitle) . "', " . "projectdivisions_id='" . $data['projectdivisions_id'] . "', " . - "language='" . mysql_escape_string(stripslashes($data['language'])) . "', " . - "req_table='" . mysql_escape_string(stripslashes($data['req_table'])) . "', " . - "req_electricity='" . mysql_escape_string(stripslashes($data['req_electricity'])) . "', " . - "req_special='" . mysql_escape_string(stripslashes($data['req_special'])) . "', " . - "summary='" . mysql_escape_string(stripslashes($data['summary'])) . "', " . + "language='" . mysql_real_escape_string($data['language']) . "', " . + "req_table='" . mysql_real_escape_string($data['req_table']) . "', " . + "req_electricity='" . mysql_real_escape_string($data['req_electricity']) . "', " . + "req_special='" . mysql_real_escape_string($data['req_special']) . "', " . + "summary='" . mysql_real_escape_string($data['summary']) . "', " . "summarycountok='$summarycountok'" . "WHERE id='" . $data['project_id'] . "'"); $message = mysql_error();