diff --git a/super/conferences.php b/super/conferences.php index feac1c62..4aafa031 100644 --- a/super/conferences.php +++ b/super/conferences.php @@ -133,8 +133,8 @@ if(array_key_exists('action', $_GET)){ break; case 'edit': // give them an editor in which to modify an existing conference - $cid = $_POST['id']; - if(is_numeric($cid)){ + $cid = intval($_POST['id']); + if(!$cid){ $conf = mysql_fetch_assoc(mysql_query("SELECT * FROM conferences WHERE id = $cid")); if(is_array($conf)){ echo ""; @@ -162,33 +162,35 @@ if(array_key_exists('action', $_GET)){ break; case 'save': // save the new conference data for the conference that's being edited - $confId = $_POST['id']; - if(!is_numeric($confId)){ + $confId = intval($_POST['id']); + if(!$confId) { error_("invalid conference id"); } - // verify that the specified conference already exists - $countRecord = mysql_fetch_assoc(mysql_query("SELECT COUNT(*) as tally FROM conferences WHERE id = $confId"), 0); - $tally = $countRecord['tally']; - if($tally == 1){ - // ok, it's a valid conference id. Let's go ahead and update the data for it - $confType = mysql_real_escape_string($_POST['confType']); - $confName = mysql_real_escape_string($_POST['confName']); - $confStatus = mysql_real_escape_string($_POST['confStatus']); - mysql_query("UPDATE conferences SET type='$confType', name='$confName', status='$confStatus' WHERE id='$confId'"); - $errMsg = mysql_error(); - if($errMsg != null){ - error_("SQL error: $errMsg"); + else { + // verify that the specified conference already exists + $countRecord = mysql_fetch_assoc(mysql_query("SELECT COUNT(*) as tally FROM conferences WHERE id = $confId")); + $tally = $countRecord['tally']; + if($tally == 1){ + // ok, it's a valid conference id. Let's go ahead and update the data for it + $confType = mysql_real_escape_string($_POST['confType']); + $confName = mysql_real_escape_string($_POST['confName']); + $confStatus = mysql_real_escape_string($_POST['confStatus']); + mysql_query("UPDATE conferences SET type='$confType', name='$confName', status='$confStatus' WHERE id='$confId'"); + $errMsg = mysql_error(); + if($errMsg != null){ + error_("SQL error: $errMsg"); + }else{ + happy_("Conference updated successfully"); + } }else{ - happy_("Conference updated successfully"); + error_("nonexistant conference id"); } - }else{ - error_("nonexistant conference id"); } break; case 'delete': // delete the specified conference - $confId = $_POST['id']; - if(!is_numeric($confId)){ + $confId = intval($_POST['id']); + if(!$confId){ error_("invalid conference id"); }else{ mysql_query("UPDATE conferences set status='deleted' WHERE id = $confId");