arman/science-ation
1
1
Fork 0
forked from science-ation/science-ation
Code Pull Requests Activity

Hmmm, add some missins stripslashes.. stupid fucking magic quotes

Browse Source
This commit is contained in:
james 2010-01-19 04:32:12 +00:00
parent de835bf5f5
commit 3ebb655d08
1 changed files with 9 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
admin/fundraising_setup.php
View File

@ -46,9 +46,9 @@
$q=mysql_query("SELECT * FROM fundraising_goals WHERE fiscalyear='-1'"); $q=mysql_query("SELECT * FROM fundraising_goals WHERE fiscalyear='-1'");
while($r=mysql_fetch_object($q)) { while($r=mysql_fetch_object($q)) {
mysql_query("INSERT INTO fundraising_goals (`goal`,`name`,`description`,`system`,`budget`,`fiscalyear`) VALUES ( mysql_query("INSERT INTO fundraising_goals (`goal`,`name`,`description`,`system`,`budget`,`fiscalyear`) VALUES (
'".mysql_real_escape_string($r->goal)."', '".mysql_real_escape_string(stripslashes($r->goal))."',
'".mysql_real_escape_string($r->name)."', '".mysql_real_escape_string(stripslashes($r->name))."',
'".mysql_real_escape_string($r->description)."', '".mysql_real_escape_string(stripslashes($r->description))."',
'".mysql_real_escape_string($r->system)."', '".mysql_real_escape_string($r->system)."',
'".mysql_real_escape_string($r->budget)."', '".mysql_real_escape_string($r->budget)."',
'".$config['FISCALYEAR']."')"); '".$config['FISCALYEAR']."')");
@ -67,7 +67,7 @@
echo "<input type=\"hidden\" name=\"id\" value=\"$r->id\">\n"; echo "<input type=\"hidden\" name=\"id\" value=\"$r->id\">\n";
echo "<table style=\"width: 100%;\">"; echo "<table style=\"width: 100%;\">";
echo "<tr><td>"; echo "<tr><td>";
echo i18n("Level Name").":</td><td><input type=\"text\" size=\"40\" name=\"level\" value=\"$r->level\"></td></tr>\n"; echo i18n("Level Name").":</td><td><input type=\"text\" size=\"40\" name=\"level\" value=\"".htmlspecialchars($r->level)."\"></td></tr>\n";
echo "<tr><td>"; echo "<tr><td>";
echo i18n("Value Range").":</td><td>\$<input size=\"5\" type=\"text\" name=\"min\" value=\"$r->min\"> to \$<input size=\"5\" type=\"text\" name=\"max\" value=\"$r->max\"><br />\n"; echo i18n("Value Range").":</td><td>\$<input size=\"5\" type=\"text\" name=\"min\" value=\"$r->min\"> to \$<input size=\"5\" type=\"text\" name=\"max\" value=\"$r->max\"><br />\n";
echo "</td></tr>\n"; echo "</td></tr>\n";
@ -122,7 +122,7 @@
echo "<table style=\"width: 100%;\">"; echo "<table style=\"width: 100%;\">";
echo "<tr><td>"; echo "<tr><td>";
echo i18n("Purpose").":</td><td><input type=\"text\" size=\"40\" name=\"name\" value=\"$r->name\"></td></tr>\n"; echo i18n("Purpose").":</td><td><input type=\"text\" size=\"40\" name=\"name\" value=\"".htmlspecialchars($r->name)."\"></td></tr>\n";
echo "<tr><td>"; echo "<tr><td>";
echo i18n("Budget Amount").":</td><td>\$<input size=\"5\" type=\"text\" name=\"budget\" value=\"$r->budget\"></td></tr>"; echo i18n("Budget Amount").":</td><td>\$<input size=\"5\" type=\"text\" name=\"budget\" value=\"$r->budget\"></td></tr>";
echo "<tr><td>"; echo "<tr><td>";
@ -213,8 +213,8 @@
mysql_query("UPDATE fundraising_donor_levels SET mysql_query("UPDATE fundraising_donor_levels SET
min='".mysql_real_escape_string($_POST['min'])."', min='".mysql_real_escape_string($_POST['min'])."',
max='".mysql_real_escape_string($_POST['max'])."', max='".mysql_real_escape_string($_POST['max'])."',
level='".mysql_real_escape_string($_POST['level'])."', level='".mysql_real_escape_string(stripslashes($_POST['level']))."',
description='".mysql_real_escape_string($_POST['description'])."' description='".mysql_real_escape_string(stripslashes($_POST['description']))."'
WHERE id='$id' AND fiscalyear='{$config['FISCALYEAR']}' WHERE id='$id' AND fiscalyear='{$config['FISCALYEAR']}'
"); ");
happy_("Level Saved"); happy_("Level Saved");
@ -247,8 +247,8 @@
mysql_query("UPDATE fundraising_goals SET mysql_query("UPDATE fundraising_goals SET
budget='".mysql_real_escape_string($_POST['budget'])."', budget='".mysql_real_escape_string($_POST['budget'])."',
deadline='".mysql_real_escape_string($_POST['deadline'])."', deadline='".mysql_real_escape_string($_POST['deadline'])."',
name='".mysql_real_escape_string($_POST['name'])."', name='".mysql_real_escape_string(stripslashes($_POST['name']))."',
description='".mysql_real_escape_string($_POST['description'])."' description='".mysql_real_escape_string(stripslashes($_POST['description']))."'
WHERE id='$id' AND fiscalyear='{$config['FISCALYEAR']}' WHERE id='$id' AND fiscalyear='{$config['FISCALYEAR']}'
"); ");
happy_("Purpose Saved"); happy_("Purpose Saved");