From 3ebb655d085f4f8dcfee7450d74612c22cb7403b Mon Sep 17 00:00:00 2001
From: james <james>
Date: Tue, 19 Jan 2010 04:32:12 +0000
Subject: [PATCH] Hmmm, add some missins stripslashes.. stupid fucking magic
 quotes

---
 admin/fundraising_setup.php | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/admin/fundraising_setup.php b/admin/fundraising_setup.php
index 29e9778..92782d8 100644
--- a/admin/fundraising_setup.php
+++ b/admin/fundraising_setup.php
@@ -46,9 +46,9 @@
      $q=mysql_query("SELECT * FROM fundraising_goals WHERE fiscalyear='-1'");
      while($r=mysql_fetch_object($q)) {
          mysql_query("INSERT INTO fundraising_goals (`goal`,`name`,`description`,`system`,`budget`,`fiscalyear`) VALUES (
-            '".mysql_real_escape_string($r->goal)."',
-            '".mysql_real_escape_string($r->name)."',
-            '".mysql_real_escape_string($r->description)."',
+            '".mysql_real_escape_string(stripslashes($r->goal))."',
+            '".mysql_real_escape_string(stripslashes($r->name))."',
+            '".mysql_real_escape_string(stripslashes($r->description))."',
             '".mysql_real_escape_string($r->system)."',
             '".mysql_real_escape_string($r->budget)."',
             '".$config['FISCALYEAR']."')");
@@ -67,7 +67,7 @@
             echo "<input type=\"hidden\" name=\"id\" value=\"$r->id\">\n";
             echo "<table style=\"width: 100%;\">";
             echo "<tr><td>";
-            echo i18n("Level Name").":</td><td><input type=\"text\" size=\"40\" name=\"level\" value=\"$r->level\"></td></tr>\n";
+            echo i18n("Level Name").":</td><td><input type=\"text\" size=\"40\" name=\"level\" value=\"".htmlspecialchars($r->level)."\"></td></tr>\n";
             echo "<tr><td>";
             echo i18n("Value Range").":</td><td>\$<input size=\"5\" type=\"text\" name=\"min\" value=\"$r->min\"> to \$<input size=\"5\" type=\"text\" name=\"max\" value=\"$r->max\"><br />\n";
             echo "</td></tr>\n";
@@ -122,7 +122,7 @@
 
             echo "<table style=\"width: 100%;\">";
             echo "<tr><td>";
-            echo i18n("Purpose").":</td><td><input type=\"text\" size=\"40\" name=\"name\" value=\"$r->name\"></td></tr>\n";
+            echo i18n("Purpose").":</td><td><input type=\"text\" size=\"40\" name=\"name\" value=\"".htmlspecialchars($r->name)."\"></td></tr>\n";
             echo "<tr><td>";
             echo i18n("Budget Amount").":</td><td>\$<input size=\"5\" type=\"text\" name=\"budget\" value=\"$r->budget\"></td></tr>";
             echo "<tr><td>";
@@ -213,8 +213,8 @@
                 mysql_query("UPDATE fundraising_donor_levels SET
                     min='".mysql_real_escape_string($_POST['min'])."',
                     max='".mysql_real_escape_string($_POST['max'])."',
-                    level='".mysql_real_escape_string($_POST['level'])."',
-                    description='".mysql_real_escape_string($_POST['description'])."'
+                    level='".mysql_real_escape_string(stripslashes($_POST['level']))."',
+                    description='".mysql_real_escape_string(stripslashes($_POST['description']))."'
                     WHERE id='$id' AND fiscalyear='{$config['FISCALYEAR']}'
                     ");
                 happy_("Level Saved");
@@ -247,8 +247,8 @@
                 mysql_query("UPDATE fundraising_goals SET
                     budget='".mysql_real_escape_string($_POST['budget'])."',
                     deadline='".mysql_real_escape_string($_POST['deadline'])."',
-                    name='".mysql_real_escape_string($_POST['name'])."',
-                    description='".mysql_real_escape_string($_POST['description'])."'
+                    name='".mysql_real_escape_string(stripslashes($_POST['name']))."',
+                    description='".mysql_real_escape_string(stripslashes($_POST['description']))."'
                     WHERE id='$id' AND fiscalyear='{$config['FISCALYEAR']}'
                     ");
                 happy_("Purpose Saved");

"; - echo i18n("Level Name").":	level\">
level)."\">
"; echo i18n("Value Range").":	\$min\"> to \$max\"> \n"; echo "
"; - echo i18n("Purpose").":	name\">
name)."\">
"; echo i18n("Budget Amount").":	\$budget\">
"; @@ -213,8 +213,8 @@ mysql_query("UPDATE fundraising_donor_levels SET min='".mysql_real_escape_string($_POST['min'])."', max='".mysql_real_escape_string($_POST['max'])."', - level='".mysql_real_escape_string($_POST['level'])."', - description='".mysql_real_escape_string($_POST['description'])."' + level='".mysql_real_escape_string(stripslashes($_POST['level']))."', + description='".mysql_real_escape_string(stripslashes($_POST['description']))."' WHERE id='$id' AND fiscalyear='{$config['FISCALYEAR']}' "); happy_("Level Saved"); @@ -247,8 +247,8 @@ mysql_query("UPDATE fundraising_goals SET budget='".mysql_real_escape_string($_POST['budget'])."', deadline='".mysql_real_escape_string($_POST['deadline'])."', - name='".mysql_real_escape_string($_POST['name'])."', - description='".mysql_real_escape_string($_POST['description'])."' + name='".mysql_real_escape_string(stripslashes($_POST['name']))."', + description='".mysql_real_escape_string(stripslashes($_POST['description']))."' WHERE id='$id' AND fiscalyear='{$config['FISCALYEAR']}' "); happy_("Purpose Saved");